DOCOHEBT BESOHE . 



*ED 165 781 



IB 006 840 



AUTHOR 
TITLE. 



INSTITUTION 

REPORT NO 
PUB DATE 
NOTE 



AVAILA8I.E FROH 



.EDRS PRICE 
DESCRIPTORS 



IDENTIrFIERS 



Bransta.df D.enDis K^* Ed. 

Computer Security and the Data Encryption standar( 
Procief dings of the Conference on Computer Securit; 
and the* I/al:a ^ncryiftion, Standard. _ ■ / 

National. Bureau of Standaras^4irotr)~, WashingtoTa, - D^. 
Inst, for Computer Sciences- and' Technology. / 
HBS-SP-500-27 ■ - ~^ ■ . / 

Peb 78 , • / 

13Jp,; compu:^r Science & Technol'o^y Seriesf / . 
(Conference heidtat Gaithersburg, Maryland, . February * 
15, 1977) * 

Superintendent of Documents, ' u. s. Government Printing, 
Office, Washington, d.C. 20402 (Stock 



No: 



003-003-01891-1,^$3, 



00)/ 



HP-$0.83,HC-$7.35 Plus Postage^-^ 

Algorithms ;V*Codif icat ion; *qomputers; Conference 
Repoi^ts; *pata Processing; Eguipjaent; Flow Charts; 
Inf ormatioli Networks; *Security Personnel 
^Standards 

♦Computer SoftwareJ Dajta Encryption 



ABSTRACT ^ ^ ^ 

The 15 papers ^nd summaries of presentations in tfiis 
(iollectipn-Hprovide technical i'n^orm^ation and guidance o;Efered-by 
representatives from federal agencies and private industry- Topics 
jiiscussed include physical security, risk assessifaent, software 
security, computer networR security; and applications and rf^ 
ii|Ple mentation o% the Data Encryption Standard* A list of questions 
SoBmitted in -writing at the conference together with responses, 
{xrepar^d by either the speaker, lyie sessio^H^hairman, or the editor. 



are appended; (CMV) 



■ V:- 



Heprodiictions supplied by EDHS are the best, that can be made ♦ 
^ / from the original document- * 



ERLC 



COMPUTER SCIENCE & TECHNOLOGY: 

* * * 

Computer Security and the* 
Data Encryption Standard ^ 



Proceedings of the Cbnference on Computer Security 
and the Data Encryption Standard Held at the 
National Bureau of .Standards in Gailhersburg, 
Maryland on February J5, 1977 



Dennis K* Branstad, Editor 

Syslems and Software Division* 

Institute for Computer Sciences and Technology 

National Bureau of Standards 

WasKington. D.C. 20234 



Sponsored by the 

N^tonal Bureau of Standards 

and ihe 

U S Civil Service Commission 



BEST COPY^VAIUSLE 



us OepAftTMENTOFrtEALTK 
EOUCATtON ^WELFARE 
NATIONAL INSTiTt^TEOF 
EAUCATyON 

TH(S DOCUMENT H^Vft^^IXpEPRO* 
DWCED EXACTLV AS OiCEtVEO FROM 
The PiRSON OR ORGArfi^ATTON 0^*IOIN* 
ATINGJT POINTS OP VliWOR OPINIONS 
SMpJiO 00 NOT NECESSARILY REPRi* 
SENTOFFJCiAL NATIONAL INSTITUTE OF 
iOuCATipN POSITION OR POLJCr 



•U.S. DEPARTMENT OF COMMERCE, Juanita M. Kreps, Secretary 
Dr. Spdney Harman, Under Secretary"-^--^ 

Jordan J. Baruch. Assistant Secretary for Science and Technology 
rWTlONAL BUREAL) OF STANDARDS, Ernest Ambler. Acting Director 
Issued February 1978 




Hack (udi^toinsiz haj> been Qi\Jzn to tkz auuthou oi tkU 

ojS dzpoJuCmznt^l and thz ci64>o<UjCutt6^^ thz ajjo^men^rtcH 
ajdmAjnl^tAotivz p£/uonnztp cu> i^dlt cu imche/Up havz coiU^iJJbatzd 
mmz/i6aJ> Jjdrn^ and havt pz/unUtzd ai to d^veZopdvU aAtictz.% 



t 



LEADERSHIP SKILLS OP-^THE FUTURE 



/ 



" INTRODUCTION 

The.~Qut&tion Bzin^ UaUai ■ ■ ' • : 

hlien one raises the question, "tVhat are the leadership 
skills of the future going to be?**, there is of^ien an almost automatic 
reaction that they will be no different from what was requir,ed in the 
/ past. While there is nii doubt some truth to the belief that the 

successful ifeade^ of the future will require certain highly valued 
leadership characteristics of the past, it appears equally valid that, 
as society changes, it inakes d^ferdnt jiemands upon it^ leader^s. There- 
fore, while many of the leaders hip sk^i which will be sought have b6en 
around for a while, there will be ,a greater need for^some than other?*, 
*'Which will be the leadership skills of leaders in edutation^which will 
become "increasingly important in the future?" is the main focus of t^his 
article. 



Kppwaah to tht Study tht Qiiti>tLon - ^^ ' ' . 

f ' 

In order to hypothesize and attempt to anticipate a^id, predict 
what^he key skills of the future for leaders in education will be, we have 
borrowed from "systems theory". Most simply stated^ the theory' suggests 
that change in the large system, ^for^ example a countr^, ha^ an. impact upon 



ERLC 



the smalle/ system, such a$ a province., We have extended that idea 
to^ suggest that, if thi-s is true, then the majw actors o£ the snialler "■ 
.systems will' have to cope differently urith new pressures which will 
require different behaviours.^ 



SYSTEM CHANGE CS) 


SUB-SYSTEM CHANGE(S> 


LEADER BEHAVIOUR 
CHANGE (S) 


■ i. ' 


) 


4 




f 




2. 












1 






5. , * . 







Following is a" concrete example to indicate more clearly . 
and precise^ what is being suggeisted. Let us consider a . school 
board as a large system which has jurisdiction, for educational 
matters, over ascertain number of square miles, Within that^large system, 
there are a number of schools. The schools, as we are using the definition 
in this particular thesis, are the sub-systems of that lai'ger system wljich 
are affected by changes in the supra-system. 

\ 

/ • ■ 



N ■ 

Below are key definitions which will assist the rea^^x in . 
understanding more easily the ideas which are' being proposed herein. 

The "system" to' which reference is made frequently is North 



American society. The "sub-systems" which are discussed are the 
educational systems i^^'^this socXrty,^r example school boards, comminity 



colleges, universities, with special, emphasis on Ontario institutions.* 

Tha "leader*' or '4eaders"'involved in this" discussion are 
primarily the Chief Executive Officers or their immediate advisors. 
However, a namber o£ people might qualify for the definition of Chief 
Executive Officer: i^ ^reality,^ it is 'anyone who is responsible, for a 
discreet administrative unit, such as a college, a university, a school 
system, *a famity of schools, a school, or, if there is a department within 
a scliool, college or university, that particular department. 



'■'^ With regard to ''leader behaviour s^*', it shcAild be noted that there 
is a concentration on behaviours which are s^en as some of the key ones, 
bu^nDt necessarily the only ones which will be required of successful leaders 
of the future^ . , ^ ^ 



JltcajpiUtjdiaXjj)n and UutcUmont^o^^iCht ?Aobtm 



To recapitulate: first, we shall identify a small number of 
Canadian societal changes which may have, emanated from a shift in North 
American or world policies, ones which migjit also be present in Ontario; 



ACKNOWLEDGEMENTS ' ' • , ' 

The following individuals made significamt contributions to theNuccess 
of the confer^ence and to the -publication of these proceedings; 

^ Mrs. Anne.Shreve, N63 jCo/ife^fence^lM^ager) 

\^ ' Mr$, 3ara'^orrence, NBS (Arrangements Chairman) - ^ 

Mr, Fred 'Rao, CSC {Nominsations Chairman) . . - ^ 

J\rs. Gr^ce Burns> NBS (Institute Lia,ison} 
_ . Mrs. Mary Ellen Crane, NBS (Proceedings Typist) 



ERLC 



, Eolyof 



OR'S COMMENT 



All but five of the published papers were receive^d directly from the^ 
author{s}- The other'five papers (Coartney, Rallapalli, Crumb,. 
McDonnel 1. and Tuchman)'were edited from the taped presentations made " 
at the Conference* None of the slides shown during* these presentations 
were availatle for publication in these proceediflgSv ' " 



Certain commercial products are identified in these proceedings in, order? 
,to spec?1;fy adequately experimental procedures- In no c^se do^s such 
identification imply recommendation or encj'orsenent by the^ National Bureau 
of Standards, nor does it imply^that the products or. equipment identifie(i 
are necessarily the best available for the purpose, ^ * ^ . 



CONFERENCE ON COMPUTER SECURITY ' " , ■ 
»^ * •■ AND THE , * ■ 

' DATA ENCRYPTION -STANDARD' ^' ' 



PROGRAM AND INDEX ■ ' . , 

X 

1. WELCOME 'AND INTRODUCTION 2 ^'^^ 

1r. S. Je1|fery, (National Bureau of Standards • . ^. 

Jie Data *Encryt>tion Standard in Perspective .- *. . . 4". 

Dr. Ruth M., Davis/ Natigtial Bureau of Standards 

3. Major Computer Security Aspects Related to the Data 

Encryption Standard (Picture of Participants) / ?. . * 14 



r 



3.1 Computer Security Ri^k Assessment a 

* ■■ ^ 

Mr. Robert H\ Courtney, IBM Corporation 

A * . ■ 

3.2 Data Encryption and its Relationship to Physical * 
Security Planning ^ j.*." >3 

Mr. Robert V^JacoJ^soni Chemical Bank • \ 

/ 

3.3 Computer Systems Security and the NBS-DES 

j (Beyond Line Encryption) ; '25 

Mr* Clark Weissman, System 'Development C<^rporatfon ^ 

4, * Considerations in Procurement and Use of Data* ""'^—^^^^^ ' 
Encryption. Devices (Pictitre of Participants) ^37 

4.1 Considerations in Appl'yiifg an Encryptfbn Device . * 

to a Communications Eletwork .* 3& 

' Mr* Barrie Morgan,. Datotek, Inc. 

4-2 The Management of Encryption Keys ^ 46 

. ' Mr. David J. Sykes, Honeywell Information Systems, .Inc. 

. ' 4.^ Design and Specif ica^on of Cryptographic Capabilities .... 54 

Carl" M. Campbell, J>. (Consultant) Interbank 
t 'Card Association ' -w * 



s 



r 



ERIC 



**' ' , - • ■ ' 

. Page 

* " ' » " ■ ' ' * 

I . 4.4 'A Bit-Sldce^ 4-Chip Implementation of the Data. ji 

ErTcryption Standard i ; 67 

i * ' - . - ■'^ * . ' 

Kris Rallapalli, Fa-irct\ild_Semi-Conductor* ^ ^ 

5, "Af plications of the Data Encryption Standard (Picture of \ ' 
Participants) . . ! ; 65 

'■5.1 Federal Reserve Communications SeJuri ty ^Project 70 

\ ' . ' . > . 

Mr.. Hov/ard CrumbV Federal Reserve Bank 

5.2 ARPA NetVork^Security Project ". .■ 74 

Mr. Stephen T. Ualker, Defense "Advanced Research ' . - ^ 
Project? Agency . " ^ * . - 

5.3 E.lectronic Funds Transfer Application , ". 80 

* * 

* Mr. Jack McDonnell; EFT Commission- 

6'. Implementation and tifse'of the Data Encryption Standard ^ ■ 

, {Picture of Partic->parits)*i,- " ^ 83 

■ ^ - 

6.1" Implementation: &.Use-of 'The Data Encryption 
StandaM within. The Data Corflmunic^ations ■ - , 
Environment ' " * < . ; . . 84 

■ 1^. Ed. Lohse/purroughs Corpor^ion ^ 

6.2 Integrated System Design ;\- , 94 

Dr. Walter Tuchman/ International Business ftTchines" ■ ■ 

Corporation \ , _ " -4 " 

6.3 An LSI Implementation of the Data Erferyption" Standard- 97 

Mr. Howard 0. Wright, Rofckwell International 

.6.4 A Microprocessor Controlled iSl Implementation of the 

Da'ta Encryption Standard ..." lOf? 

!• ^ - ' * * 

' 'Mr. Keith Warble, Motorola Inc. \ 
7. Appendijj: oiQue^^t^ion and^^swer Session \ , 116 

y ■ ■' ' . 

viii 



.WEt.CO.ME -AND INTRODUCTION 

■ ^ ■ 

S, iJeffery 
' ConfeVence Chdirman 
\ ' Systems and Software Division ■ 

* * National -BOT^eau of Standards ' v 

* . , Washington, DX. ^20234, ^ ^ 



On behal/ of the National Bureau of Standards, I would like to 
welcome each of you to the Conference on Computer Security and -the 
Data Encryption Standard, The Conference 1s being sponsors^. by the 
National Bureau bf Standards and the Civil Service Cormn>ssio«i^ The 
program that we have organized for you tod^y fras been st^uct^jc^d to 
place the new Data Encryption Standard as published jVF^<l^*"al. Jnfor- 
fndtion Processing Standard 46 into perspective with'other neasures^* 
tfiat c^ be used to provide computer and data security. 

The Conference has been organized into four sessions. The. first 
addresses the major computer security ^aspects related to the DES, 
These itnsliaKfe risk analysis, physical- security and qpmputer systems 
security, V The second session involves those^ topics that should b6 
considered in- the use' of "dat^* encryption. These inclu^Je corrmuni cations' 
sewrity devices, key management ^nd system design; The third session 
Oovers^the applications of^the Data Encryption Standard that are * 
presently identi f.ied;* These ihclude security prdjects involving en- 
cryption at thje federal' Reserve network, the^ARPA network and irV ^ 
electronic funds transfer^ The final, session will oover various imple- 
mentations and 4jse5 of t^re KS, 'These will be discussed by inembers of 
various companies that are interested in implementing and using the 
DES, < ■ , . 

. . ^ ' . ^ ' 

In order to cover a veryz/large subje^ct in oneway, we request that 

aTl questions be written aiid they will be respo^lded to following t>ie 

last session. Whenever pos^ble," the question should be addressed to ^ 

specif K speaker* Each speaker wil"?! prepare short writt^afl^ers to 

the qiiestfons. During the question and ansv^er period at ,tne conclusion 

of the Conference, the four session chairmen will take turik reading ^ 

a question and the speaker's response, The questions^4i)jt ansj^^ers^will 

be published in the proceedipgs, , ■ * 

t " ^ ■ 

We hope that today will be be*Kefic1al lo each of you and'that you 
will f<ind th^ program'enjoyablg, " . , 



/ 



10 



The Data Encryption Standard in J^erspective 



Ruth M. Davis, Director 
InsfTtute for Cqmputer Sciences and Technology 
* National Bureau of Standards 
■ Washington, D.C. 20234 > 



■ The Data Encryption Standard was approved as a 
Federal Information Processing Standard by the Secre-. 
tary of Cjjmmei:ce on Novejfcer 23, 1976, This Standard ^ 
was developed as a part of the Computer Security Pro- ^ 
gram within the Institutefor Computer Sciences and ^ 
Technology at the National Bureau of Standards, This 
paper places tiiis standard -in p*erspective with other, 
computer security measures that can and should be 
applied to Federal computer systems either before 
or coincident , to using the Data Encryption Standard, 

NB^ ini-tiated the s^ndards development effort ■ , 
leading to adoption of the DES in 1972. During this' 
I period, NBS. sol ici ted for algor?^bms and information 
upon which a standard could be based, published for 
commerit the algorithm which best satisfied the re- 
^ qui-rements of an encryption standard, and coordinated 

^ the effort with ^oth the potential using communities 
i and supplying communities..* 

This paper outlines the environment surrounding * < 

and the history of the Data Encryption Standard and 
discusses the objectives *of additional standards to 
be developed within the computer security program. 



Key words: Computer security; encryption; standard. 



1, ^ Introducti 



on 



■ There' are very few of us today wiTether we are computer scientists, 
managers, ADP facil ity personnel or communications specialists who have 
experier>ce with encrypting*and decrypting information in any operational 
enviromment. Therefore, there' areyery few of us who know what to ex- 
pect when We first fifegin to use <Ja*a encryption procedures. As we en- 
, counter problems or unexpected happenings there wil) bja^ very few pre- 
' cedents we/can draw upon for guidance. We" should, therefore*, try to ■ 

., ■ ■ . . . ■.( 




FRir 



get the jrtost^from those individuals and organizaticfhs^who have already 
sturribled and lelflrned from thei r^experiences^ We will need to know who 
they are, whether they are in industry. Government or academia. 

First, t^owever, we aefed *to remind-ourselves as to why there are so 
many of us now concerned with data encryptiotewhen there were" so few in 
the past. As might be anticipatect; sin^e we are still at the beginning 
of the first real sign of general or public interest io encryption, it i 
difficult to pull apart the urftieVbrush ^nd identify any real pathway;' 
But' let us ,try. " ^ " ^ 

2/ Who Has Been Using Encryption? 

. Prtpr Vo the mtd-to-late 1960*s almost the only use of encryption 
was for natiohal security |5urposes. National security is still the 
predominant motive for data encryption. Other" long-fetablished u&^s 
of data encryption have be^n principall^y i,n foreign countries by inter- 
^ministry networks, police and gendarmeries and embassy communications 
systems. How do we ascertain these other principal users of data en- , 
(^ryption?* Not surprisingly, we used the traditional mackegt Indlcator-- 
r>^mely,who are xhe buyers of data encryption equipment sold by vendors. 
Here, even for U.S.. vendors of*^cryptographic equipment, the market is 
principally foreign buyers. ^ ^ ^ . ^ 

In the United States at the present time, a very small percentage 
of companjes use cryptographic equipment and -encryption procedures. 
Herfji^e, it is qyite apparent that if we are to find and use available 
expertise anjt experience in c*y(ptographic applicatidji, it will be from 
within the OTs. national security community, foreign organizations ancl 
governments and a very few U.S. companies. . 

3, Why Is EncryRrtion More in ^manjd Now? , ^ . 

* * 
Since itjie late 1960's the®& h^ve been a few newly emerginjg but 
important piotiyations other than national security for employing crypto-^ 
graphi<r*equ1pment and procedures. Categorized in)terms of technological 
ly-induced changes they are simply thatf ' 

0 Computer and communications te'chnology hav^e combined to 
er^courage^dramatic increases in the volume and speed of 
^ information qollection and distribution. >\ 

0 The gjftinci pal mode for distribution of time-sensitive 
data is now electronic. ■ " ' ' 

*o Advances^ in el^ectropio technology haye made electronic 
surveillance ^nd inter«ption inexpensive and available 
to individual buyers. ^ . " 



Computer, communication^\and*^transportation technology 
have combined to make tlie gecfgraphical ly disper5ed 
company or" government tire more "common organizational 
ent-ity w.fth its management almost totally"" dependent' 
^on electronic means of iMormation, tran^m Cat- 
egorized- in terms of re a 1^*^ or pe,rceived threats, these 
uew"motiva:tions*for employing encryption 't:an 'be put in^ 
rfi fferent. terms--namely, in a^/pugh chronological order 
of emer^nt threat as fo1l6w&;:^' 

■ Organized and j'ntenticjnal .attemots 

1 obtain economic or market information 
from. competitive^ organizaMdns in the 
pH vate sector. ' ' 

■ Organized an'd intentional attempts to.'. 

^ obtain econc)mic information from govern- 
ment agencies, ^ . " } 



Inadvertent acquisition of economic or 
market informart>on. 



Inadvertent acqt/is 
about individuals. 



: . ■ j 

ition of infomati 



on 



' ' ' . Intent'ion.al fraud through illegal access 

* to.'Cdmputer data banks with emphasis in , 
' ■ - de<xreasing order of importance on acquisi-^ ^ 
tioa of funding 'data s economic data, law 
' ■ , enforcement data and^data abofut individuals, 

^ ■ 1 * 

' Governmental jntrusiion on the rights of^ 

^ individuals, 

' Invasion*Qf individual rights by th^ * ■ 
Intelligence, Community, ^ ■ 

"4, What Is The. ''Cryptpgraphi-c Marketplace?" * 

Facedwith this sporadic but increasing demand for*cryp^og?aphic 
equipment, what kind of cryptographic marketplace exists? Obviously, 
-fetie cryptographic marketplace h^s a very loRg tiistory since equipment 
and procedures for tf^ansforming data *nnto- uhihtelUgfble fonn and then 
transforming it back into jntelligibl-e'fbrm have been used for thousan 
"of years, ^ - , ' ' . * ■ 



ds 



.1 



However, looking just at the 1970's, before the advent_ of the* NBS 
data encryption standard, the cryptographic marketplace V/as and is- 
'large, C(5mpeti{lve, an6 one^inj^which caveat emptor or 'H>uyer beware'* 
wars the prevalent them&, "There are about 150 manufacturers of discre1:e 



c^yptographic devices world-wide of which somewhat less than lOO are 
American companies. Most cryptographic^ equipment is now fel^ctronic , 
where j^ust a few years: ago it warS 'either mechanical or electro-mechaniqal-. 
There are also a very few--probably less "ttian fi ve-"Companies world-wide 
that sell software encryption packages. , , ^ ■ " ^ 

^ . ' ^ ^ ' ■ ^ / 

If you really dig in and^read conl^any brochures, you will find about 
a dozen ma-jor manufacturers with what we would "call a full line of cryp- 
tographic ^qLiip(T?ent\ equipment for data with^different trans- 
mission speeds, for different types of^channels and transmission methods, 
for off-line and on-line us^ etc. My eslfiraate is that more than 75% of 
these dozen compahies are foreign manufacturers. 

" * ' * ^. 

The commercial equipment is generally describefi in the ^bove term- 
inology, with additional descriptors of allowable key variations and >li 
^'working ptrinci pies . We tan refer to the working pHnciple.as the en- - 
cryption algorithm^, , , ' ■ 

As you may recaTJ , the marketpface was described earlier -as one of 
"buyer bewail'" TKi^^ns because the intricacies of relating key varia- ' 
tions and working prijiciples to the real strength of the encryption/ 
decryption equipment were and are-, virtually/ unknown to almost afl^ buyers,- 
and informed decisi;on^ as "to the right type of on-lilie, off-line, key 
generatioo etc*, whji'ch will ineet buxers'^ security needs have beeii^most 
.difficult to ma ^ 



It was into 
tered in 19f?. »^ 



thH areria .that the National Bureau of Standards en- 



Legislative^And Goverri^nental Responsibilities * ' ^"^ 

^ ^Rasponsibi liitijes for design, use .and applications of cryptographic 
equi pme^t were not (clearly defined in 1972; they are still not clearly 
defined^irv 1977*.! 



IBrookf Act (P.L. §9-306)" respcfhsibi lity for setting 
Ir effective aad efficient uses of computer systeips , 
initiated a much needed prograrg^in computer security in 19 71, It pur- 
sued as an qssentia^lhpart of computer security the developn^nt of data 



^ / ^ NBS , under i tsl 
Federal standards fj 



encryption ; 
^de(velopment 
in computer 



t^ndardsl 
effort w; 
ysitems- 



The primary cons 



deriving frotti NBS' 



n"d 



Jh^t^ p^ut'pose of the "NBS dat^ encr^iption standards 
to protect computer data iri transit or ^resident 
networks. 



tituehcy under 'the Brooks Act for NBS* data en- 



cryption standards were Federal agencies; the secondary consltituency 



ponsibilities as a member of the Department of 



Commerce was the genefaT buyer not operating under national security 
^provisions arid dtrectives. 



■Responsibilities for cryptographic R&D and use in national security 
activities are fairly well defined under the Natibnal Security Act of 
1947 and under the amending Executive Order. 11905 of February *18,_ 1976. 
Under thij Exeq^tive Order, the National Security Agency serves "under 
the Secretary of* Defense as the central communications security authority 
of the" United States Government" and is responsible for the "conduct of 
research and developmenjt to meet the needs of the United States for sig- 
nals intelligence and communications security," UBS has asked for and 
received the unique and'very valuable assistance ofNSA since 1972 in 
NBS' effort to provide- data encryption standards for its constUuenciWs. 

The only recent relevant Congressional legislation is the Privacy 
Act of t974, under which 0MB ^assigned ,NBS responsibilities for the de- 
velopment of computer, and data standards to meet the needs of the Act^ - 
Data security is, not a -requiVeJn^nt, of the Privacy Act of 1974. However, 
data security is 'one of the ^means ties^t suited far meeting requirements, 
of the.?\ct. ■ ' 

As of 1977, N6S' data encryption program and its recently issued 
Data Encryption Standard (DES) hrave not, to the best of our knowrledge, 
^decreased existing competition in the cryptographic matrketplace. In-.' 
deed, at least five new hardware and/or softiyare encryption products 
ha;ve entered the marketplace as a direct result of the DfS. " . 

Probably the pftincipa] cha^e in the i^arketplace that can be 
attributed to NBS* OES is the lessening of the "buyer beware" character- 
istic. Anyone buying cryptographic equipment ^Which has been validated. - 
against the DES can be assured of a spe*gific level of data 'security t 
namely that 2^5 attempts and the, use of the method of ^exhaustion are 
required to obtain any ori^ key for the eficryption algorithm used in the 

6. History Of The Data Encryption Stantlard- ^ - -n 

, * J* ^ 

fts I renSarked earlier,ythe development and history of the DES^have 
been fifost interesting., has been directly Involved for, more than ^ 
five years," Th& active standards development effort, beginning with 
collection of relei^ant information, was initiated in 1973. We^olicited 
for information that was available. in the field of cryptography that ^ 
could be used in guiding our efforts^ We ^re looking for the techni-\ 
cal specifica tions "of a method of encfyption which could be economically 
employed in a .variety of computer securi^ applications typical of our • 
Assigned (Constituency. We wanted this ^formation tO' be publicly avatl- 
^able^so that anyone desiring to adopt the standard could do'so. *We 
wanted the metho(i of encryption selected as a standard to be amenable 
'to Various types of equipment built by the many vendors of computer and 
terminal equipment* We wanted the specifications of encryption to be 
unambiguous so that anyone would be able ,to decrypt the data encrypted 
by anyone who also adopted the standard if he had the "key" or secret - 
variable that had been'' used. / . 



Our first solicitation^L^^ay 1973*^rod(jced nothing that satis- 
fied "these wants. This solicitation requKted '^proposals for information 
and algorithms" that could be used in.de^loping a standard and we got a 
lot of unsolicited (Jroposal^s to develop jlncryption algorithms. It seemed 
that a lot of mathematicians had ideas, tmey wished to pursue. Develop- 
ment of encryption algorithms is not something you do overnight, however. 
The algorithm that we received whidPi haH the be$t theoretical ^foundation 
was recei'ved .scratched in pencil on a sneet^of paper/ It was suggested 
that a random stream of characters be Britten onto two infinite length 
tapes which are sent to the parties wifehing to communicate. Jhe sender 
should add the random stream to*the message and the receiver stiould sub-'^ 
tract the random stream from the mess|age.>,^This furns out to be the only 
perfect security system^ but we've'hid difficulty finding suppliers of 
infiaite len^h tapes. In addition, |this system haS oth&r practical 
problens . 

Even "though we received no useful algorithms from the first s^olici- 
tation, a positive step was made.* Irkerest was. ^hown in cryptography 
and a need for an encryption standardi'was denipnstrate<t, in adfcition, ■ 
when a second solicitation was made In August 1974, several algorithms 
were subtnitted. Some were too specialized: some were ineffective. One^ 
was received that showed great inerit as an encryption algorithm, 

7. Review Of The Data, Encryption Standard . ^ . 

Th^fs algSrUhrir^ published for public comment in .Marchr ,1975, aftet^" 
undergoing Government review for acceptability as a Federal standard. 
This is; the third phase of a standards development effort: coordinatiorf 
and review. However, even before this was done^ procedures were worked^ 
out between NBS and IBM, the developer of the algorithm, for having the 
rights for making, using and selling apparatus implementing tht algori^fhm 
available to interested parties under the claims of certain patents held 
by IBM. The terms and corrditions of the agreement by IBM to grant non- 
exclusive, royalty free licenses under these patents are spelled oui in 
tiie May 13^, 1975 and August 31 , 1976 issues of the Official Gazettff^of 
the United States Patent and Trademark Office. 

h ■ ^ ^ 

the comments received concerning the algorithm were mpst'intereJtiRg. 
The most prevalent need_that was apparent from the commehts wasr f or af 
general education in encryption. Commentofs either simply wanted ^nfpr« \ 
mation on the subject or made comments showing that they did not untiier- 
stand the Applications and requirements 6f encryption. Thi^ ^Conference 
was organized by NBS and CSC to^satisfy this need. The comments also 
uncovered an important issue regarding the competitive aspects of imple- 
menting encryption" if| various^compu€er architectures. This was studiett 
long ahd hard by bothPthe Uga^ j^tid tlie technical, staff of the Department 
of Coimerce. Alternative rflodes of employing the proposed standard were 
defines and evaluatedt, and. the be,st ones suggested, for use in various 
architectures. These modes can bie used to ^roviTcfe.the efficiency needed 
to^saiisfj^ those concerned about this issuer k 



The coHplexity ^nd security of the algorithm w^re discussed in se.v- 
efyil commebp. -The algorithm specified in tf^e DES. is very coniplex.^ A ^ 
, c#7ptographic .algorltlTm that provides a high level of security must.be 
^complex. > In oWer'to nnnimize the Impact? on a general purpose computer 
"system, a hardware implementation was specified in'^the standard. ,Ha^d- 
v/are implementations also can be validated and .are ^nearly immune to 
unauthorized-, undetected modification by a potential system penetratpr. 
Software programs are susceptible to modif^lcation and/ar^ difficult, if 
'not. impossi&le, to validate. However, the security of the algorithm be- 
came the most controversial i^sue. \ ' ■ 

A standard should be acceptable to a broad range of usars, - It can- 
not, however, satisfy a-11 possible needs^of all possible users/ A stan- 
dard should be amenable to- change when new applications or new technology 
'evolve. It should(J)e reviewed^periodically to evaluate an> need for 
change. T^e DES was developed within this framework.- Some commentors ' 
felt thatf^he security and' comprlexity of the algorithm was not pe^eded in 
their application; they wanted a simpler one. Some felt that.the secur- 
ity was inadequate for thei r^iieeds : they i^fanted^ a more V^^^iplex one. 
They felt that , the standard should satis'fy all securl-ty requirements for 
all possible users for all time. - ^ 9 ^ 

' The matter was studied ai great^ length by NBS. A workshop was or- 
^gani?ed,to e\^lu^te current technology , and any technology io the foresee- 
able future- which wiigHi rjeduce the effectiveness of the standard. An- 
other workshop was ar^^ni zed to analyze the matheniatical foundation of ^ ' 
the algorithm and identi fy. real or potential weaknesses of the algorithm, 
Soth workshops resulted i.n a consensus tha^ tfte' DE^ was sa:t,isfactory for 
the next ten to fifteen years as S cryptooraphic standard^, -No methods 
for ob^'ining;a key, that you,\as users^select to pro{ect your data a're 
known ^\o;rt o^^trying alj theoretically^possifele keys. 

ir ' ' ' " ^ 

^ ' There are 7,2 x 10 poss,ible keys for^use with the DES, Jhis means 
that a key'would. have to be tested every microsecond io^ the next two 
centuries Jn the fastest cojjiputers expectad in the next few yearsv A 
machine consisting of a milliontspecial purpese-electronic chips, each 
dofi>f a test nn a microsecond wa^sugge^ted as a threat in the comments, 
Qur workshop on technology concluded that feuch a machine^ although capable 
of deriving one key in^a day, gi ven maftched plaintext-'and cipher* would 
■.cost over $70 mlUi-onlto build between now an<i ] 990,, be ^56 feet long, 
■ draw millions 0^ watts of -power, -and anyone attempting such a task would 
have a Very' low "probability of success, I do not want to understate the 
issue of security but I do want to put it ^nto its proper p&j^specti ve. 
The risks^^to'data encrypted by the DES will come from sources other than 
brute,-force attacks. , ^ ' ' 

Before leaving this issue, I would like to provide some special 
guidance. The key used with the DES is the key to ^^ecurity. ' A-cliche, 
^disgusting as ii^ may 6e; is often easy to remember. No matter ^ttwygood 
the algorithm and no matter how good the equipment, the^security prV 
vi^ed by encryption is'only as good as the protection you give the key. 
Methods for accompyshing'this will Be discus'sed today and for n^ny 

' . . . ' 10 \ • ' 



years as systems are developed. .Keys sJfould be random; keys should be'' 
independent; keys should never' have atiy part predetermined. .Failure to' 
follow *these rules, or compromises ill their achievement will compromise 
the security, equi valently". ■ / ^ , / \ . 



$. Related Security.^jsieajfip^ 



Other "securitj^riTfi^ures related to the use of encryption are 
scheduled for.discujs^i in the next session, ^^^'isk analysis is 
speci fically Vecpfmended in the DES before CTicryption is selected 
f or ,use. Adn?i>istrati ve security should be*adopted before encryption 
is used and mlist be expanded to include the procedures of )*ey handling 
:ion is implemented. Physical security is -always ^requi red 
degrees in all computer systems. Additional recT^enients for, ( 
protec^ng encryption eWipinent must Ije satisfied when encryolbaon is 
fjitfvally,' the technHal implementation of encryptionr equrpment 
be perfor^d for an effective cryptograi^ic system/ Thes§ areas 
^1 be discus'sed in depth throughout the d^.. ^ \ 

The DES wats adopted as a- Federal standard on^Novefnber 23, *1976, 
a^fl publisJied as Federal Information Processing Stanjflards ipybli cation 46- 
on January 15,^977. Each of yoij received a cogy in your registration' 
packet. The standard is divi<ied»i!rito two sections; the announcement, 
section and the speoificartipn section. The announcement portion gives 
"the administrative ground rules* for following the standard. Everf 
agency is., responsible for complying with the standard. Encryption ' 
should only be dictated for use fr^m within an agerfcy and only after ^n 
in-de'pth risfV analysis "is clone. When .encryption protection is require<;J 
^nd .if the j}6ta is urjclassified, then ^ncryption^hardw^ire should be pro- 
cured when it complies with .RIPS PUB 46 and used"^o provide the desired " 
ffVotection* The speci ficatfi^ pm^tion defines unalrt^jguously the algorithm 
'to be used*to encrypt and de^pt data./ Related aohfiinistrative in- 
formatibn should be obtained fr^om the announcement parytton^^ The .effect ive 
date of the standard is July 15, 1977, and FederaK &gen^sjgv are tOi^om- 
ply with the* standard after that date . 



In a communic^-tions applic^1;ion the DES does not stand a*lone. Ex- 
isting starfBards must b^ used and^additional standards are /needed, Ex> 
isting Federal Iritformatijpn Procesfftng Standards '{FIPS) and/Federal Tele- 
communications StlannJards (FTS) are to B^^^ed when 'implementing the DES 
in communications, ,However,. additi wjjSJ ^t^da^ for theAeleo^trical , 
mechanical and functional aspects of^s^tojir^lone, add-on/communications 
security equifJfnent utilizing the DES areSi^ded^" Stand^ds for incor- 
porating DES devices in terminals and commurrh^attDriS"prace;Ssors are needed 
for an effective cryptographic system; ^ 

A technical subcommittee for 'developi ng a standard for the use of 
DES in communications-'has been established tiy the federal TeTecommunica- 
'tions Standards Committee (FTSC) An ad hoc committee, under the leader- 
ship of NBS, investigated'' the need^fpr such-j^ standard. The recommenda- 
tions <5f, the a^ hoc commilrtee werev^dopted 5y the FTSC and endorsed by 

■ ' n; J . ■ 




r 

the FIPS^SQpordindting and Advisory Oorranrttee. The recently approved f or- ^ 
mal subcomHttee is drafting a standara for review and approval as a 
Joint Federal Te,|ecofraTiuni cations and/fnformation Processing Standard. 
The formation of th^*subconim?ttee ws(s recently announces! in the Federal 
Register, Technical contributions/and comments^are welcome from in-^ 
ter^'stgd parties from both the public and private sectors. 

9. Support of the Data Encryption Standard 

^The .final to^lc I -would like to discuss this morning is' the suppfwrt- 
of* the standard, the ffna1 phase in standards development, NB,S will sup- 
port the standard in various ways Strict you as potential users can obtain 
assistance fr(Sni several sources in adopting the standard, A Data En- 
cryption Te5tbed has been establish«^JWithin' yie Institute for Computer \ 
Sciences and Technology at NBS to prtj^ide some of the assistances Two ^ 
major services are being performed./ First; a validation service is being 
established to test hardware devices for compliance with the specifica- 
tions of the standard/ The stan-ddl^d specifies a transformafti on of 64 
input bits into 64 output bits based on a 64-bit key. Jt also specifies 
that hardware be used to perform this transformation, NBS has defined a 
set of tests whict) provide a high degree^^ of ' assurance Ithat the hardware 
implementation performs the transformation/correctlyjl^ Vendors intending 
to supply such dfevices to Government .users must have thte devices vali^- 
d^ted. This'service wi VI be done by NBS on a cost reimbursable basis; 
The service will conform to the administrative regulations found 1n NBS 
Special PubUca^^tion 250, Calibr^ation and Test Services of the'Natlonal 
pureau of Standards. Agencies seeking, to procure DES devices should use 
the wording of Federal Property Management Regulation 101-32 presently 
b^ing amended by^ the General Ser\^ic6s /^ministration. Finally, the 
responsibilities of th^ National Security Agency, formulated in Executive 
Order 11905 cteted February 18, 1976, incTude assis^ting Federal depart- 
in^nts and* agencies in implementing^ommunications security and determin-' 
ing specific securl ty' requirements i,n this area* ^ ^ 

"pie second use of the Data Enoryption Jestbed is to develop and 
evaluate methoiis of using tti^ DES in various applications* Addi-tion^l 
standards are required fdr assuring compatibility among devices employ- 
ing the DES in specific applications. ^A" ftfiidamenta.1 goal of the DES was 
to provide a^b^sis of compatibility among various devices in various^ 
application? vffli^le providing a high level of security,^ A standard should* 
not dictate alV^of its applications within the standard, Innovati ve* im- 
plementartion and application are the^ases for con^etition'in ^providing 
products or services ^mee-tj/ng ^Lstandarrd* No stand^trds effort should 
atjtempt to_stifle competi^ipn or innovation. Standards should either be 
adaptive or amenable to change. Additional standards can be bi^ilt on 
fundamental standards in selected applications* to provide compatibility, 
Tfje-'DE.S is a fundamental standard for data communications s^curilfy, A 
pBderal task gi^oup has been established to assess thjs need for and scope 
af additional standards in cryptographic systenis. Information regarding. 



12 

J ■ ■ ' . 19 



the validation tpsts of DES devices., as well as the standards "efforts ip 
data cqmmutiications security, is available from the Systems and Software 
Division of the Institute for Computer Sciences and Technology at NBS. 



10, Concluding Comments 



o In^suranary, the Data Encryption Standard has been a forerunner in a 
structured stafidards development process. The Federal Government took 
the initiative ijn developing a s^^ndard which satisfied its own identi- 
fied need-, A cooperative effori: wa^ estetblished within the Federal Gov- 
lernment and between the Governme^^ private industry. For' the first 
ti'mfe ^ a Federal standard is publicly available that can be used to pro- 
vide a h.igh\leVe^ of cryptographic protection fou computer data. A vefy 
higlj^ level orsiyblic interest has been demonstrated throughout the devel- 
opment progress. Private industry will be the^suppl^iers of devices comply 
ing;with the standard. Governrnent agencies, as well as pri.vate organi- 
zationsy" will be the users of the devices and consumers' of the services 
based on t)>e standard! ^ . f " ' ■ " -v ^ ^ 

All Federeil agencies have been requested by NBS to- state' their needs 
for *a^ld^ tiojpal Federal information Processing Standards and to\sUpport 
the subsequent efforts in satisV^ing these needs through a coqperative'^' 
standards program. . Only* through efforts such as these, sui5pi5rted by 
private indi-viduals and organizations ^ can computers be made more ef fec- 
-tive afid more secure> * ^ ' ' 



V 



1^ ^ . ■ ' 

^ Computer Security Risk Assessment 



Robert H,, CouFtnfey 
IBM Corporation 
Systems Research Institute* 

291 E. 42nd Street 
New YoH, New York 10017 



' The following paper has beep extracted from 
^ the verbal presentation of Mr. Courtney at th^ 
February 15th Conference. A written |sfrper h^d 
not been submitted at the tirne of pOqli cation of 
these proceedings. *' 



1. Introduction- --^ ^ , • 

My objective today is to convince you that you should not spend 
<5ne nickel pn^coitiputer security unless you can .cost-justify that nickel, 
that there is a way of 'cost-justifying that nickel, and that in a» 
probability you should, be getting on with it. A convervignt way to 
start 1s by sharing with you some of the. observations that were made . 
dft^r looking at over. four hundred data processing installations. These 
Installations haB, already become aware of computer security for 5ttme 
reaToruNvfhey did not ?tjave to be mada aV3re of the problem; they were 
already aware. However, for one^reason or another, they had not ^" 
achieved a level of security which thej^onsi de(^ed adequate. " . 

f- ^ ' 

The ftiost- probable reason for not achieving an adequate level of 
security is their faililire to prioritize the pfc^leip. For mos*t of us 
human t^eings, especially; those who are technically oriented, we would 
like the problem to be technically challenging. This is a difficulty 
in the area of data security; the fundamental problem is. not intellectu- 
ally exciting, ^ " , 

2, Prioritized Lis't of Computer Security Problems 

" * ♦ " ^ 

I feel that there are six major problems in data security. The 
first major problem is simply/^rrors and omissions. The employee^com- 
mitting errors or failing to perform specific: acts are ±ypi< 
jionest. They simply ere not competent t6 perform the job. adequately 
at all times. The dishonest people of this world!, will ne^fr be^^ble to 
contend with the incompetent in^the damage they do, The.irkidence of* 
errors and omissions' probably accounts for 50-80% of the clara security 
problems I have encountered iu my discussions with ADP.manfigw%. If a 
manager dpes not account for the problems in this fi^fst oategcbry, he 
will never be able .to cost jOstify the security measures that ^ chooses 
to implement, 

15 



' The second major categ^if^ of data^cuVity pcob Terns is that of 
dishonest employees. It is apparent after analyzing this category ^ ; ' 
* that the v^t majority of inciden£s d^ not deal yvi th highly techni- 
logical failures* rtor the ruost part they are clerks* and, operational 
people who are misijsi^ng their powers iii not'^ just'doifig their job, ' ^ " 
but ifi doing someihitt^^ else, 'Who steals from Accounts P^able? The^.- 
person' worl(;i ng ^n Accounts! Payable. Who $teals from Payro/l? ^The 
person working in PayrolT. The people working-,in Inventory do^ riot , 
steal from Accounts Payable; they stfeal from that part of the system 7 ' 
they know, best.^ . ^ ^ , ' ^ f 

In the third place clearly is/fire. It is/not because ADP 
^^cessing equipment is highly flammable. 'The last sigf^ificant fire we " ' * 
had in a computer was an old IBH-650 cojnputer in i9§7. For* the most . * ^ 
par^t, computers burn because the ^^re^ starts in tliem, ^but th^yeep) 
^ burning because , of the flaoimable material around them/ MostY^op^^e h^e'^^ 
put their f ire^^protection where the computer installations ar? rather ^ 
than where ther combustibles- are. We seem to place our security njgaFSurfis 
where they do the least good. There is a longerJlead time /or obtain^ng^ 
,pce-printed forms required for the day-to-day operatioaof many companies^ ^ 
and Fed^al organizations than tKere is? 1n the CPU that does the. pro- * ^ 
cessing, , ^ " , 

in a clear fourth ^place is the category of disgruntled employees. ^\ , 
As opposed to dishonest employees^ disgruntled employees d6 -not have 
,an economic motive^for tloing what they, do. There are relatively few in- 
stances of 'probiajas caused by disgruntled employees but^ unfortunafe^y ; 
the dollar va^pptf^frthese incidents is high. The important* point here 
. 'i^ thai there ^is nor^ c^e knoyn in which an employee, happy, and fione^t 
on Tuesday, came ,rnt^Jwork oftvWeBnesday and took the pljice'^^part,,^ for \ 

^ ;the most part, the dis^fecQpo;^ grows oveV a significant period of %ime " 
and it. is partly the insecurrty ^or coward^liness of first Tev^l manage-"- 

^ ment^that keeps'us from'catching these potential problems,, , Rather . 

vi^than meeting a problem^head on, we would rather hope that' it wtl-1 go \ 
away. It is better to move suchr a peHon- out of a sensitive position 
than to suffer the possible consequences,^ ^ ^ 

Jp the fifth place is water," Floods ate not thrf mfaj'or proUlem in 
this category; E^roken water pipes and leaking roafs 4^e^ the big prbb^ 
mems*v One can deal with tjiis problem primarily with a fifteen fbot ' - ^ 
^ roll of palyethelene plastic and a pair of scissors. The higher the 
building or the j:iewer the building, the higher the probabi 1 i ty* that 
it will suffer water damage., A*fire on the 23nd flpor of one build- 
ingi quenched with water, knocked out a center on the 8th floor be 
cause of leaking water 



; stran^er^ 



In last^place are stra^^^er^ These arS the beople" who w&^ do 
not know and'are not our employees. These are the people -who t^nd . 
to mount more technologically superior^attacks .ajgainst our system. / \ 
As' we grow toward Electronic FiJnds Transfer sysjtems, we mSly see a 
higher rtumber of^incidents in this category. Given this order of priori- 
tizing, you-miay be able to get a^measure of the risks associated with 

16 ■ . ' 



your particular system,^ 

3. A Risk A^nalysis [Methodology 

This approacli to risk analysis is based on a listing^and evalua- 
tion of all of the data files^tored and processed in a computer sys- 
tem. The person dotfig the risr* analysis must then look at all of the 
things y^at can happen to those da\a files. There are* only six * 
"bad things'* that can happen to data files, ^Thtse are: accidental 
destruction, disclosure and modification and intentional destruction, 
disclosure and modification. At each intersection of ?data file*' and 
"bad thing*' in a matrix, I wouldJike to .see three numbers. First, the 
dollar impact, very grossly ^statied, i:e., within an order of magnitude,, 
of '.the impact of thi? "bad thing" happening to data. The next 
nurotjer, represents, a probability that this "bad thing" may happea to the 
d^a. The third nunTber in the matrix is the product of the two. 
nitnber represents an annualized risk; i.e., the number^of dollars tha^ ^ 
itimay cost per.year. Only if 1 am able to come up with an annualized 
risk, measured^rilf^yol l*ars , am I able to collect and apply those security 
measures^'which are cost effective. We haye enough data collect^fr^om 
individual'^ performing a ri»sk analysis to be assured that this mel^h(^ 
does worW--xihis approach will also identify Xhe problems which are^s^^ 
cheaper to 'toT&»sate than they ^are to solve, anckthere are a f^lr num- \. 
ber of those. Tmeve are a numoer of expensive securi ty ^neasures which 
wil> protect us> against, S'ecurity'P^"C>blems whiqh we alnjost .never have. 
We must not use those. , 

The use of this matrix ^ako identifies those pVoces^es or opera-- 
-tions which a company or a pjederal agency must J)e able to perform in 
order to get their job done. Most of them will actually be able t;o 
"operate^ on an emergency baSis with only 15-20% of the da,ta processing 
capabilities that they normally require. HowevW, an ADP manager ' 
must determine before hand what comprises this -15-20% of cj^itical ' 
ADP opetytlon. The risk analysis should yield a -good vindication 
of whicn&rocesses are critical. ' ^ * 

The National Bureau of Standards is publishing tTiis approach-to • 
n'sJc anal-ysis in .a document entitled "Automatic Data' Processing Kisk 
Assessment, "NBSIR 77-1228 (available as PB 265950 from the National 
Techni^l Information Services, Springfield,' Virginia 22161). 



17 



2: 



Data Encryption 
anci its Relationship to Physical 
security Planning 



Rpbert V. Jacobson 
Che'mical Bank 
new York, New York 10041 



Data encryption is a powerful tool for" protect^ 



• V 



ing data against discovery by an unauthorized person* 
However/us^t of ' dat^ encryption does not automatic^ly 
solve all security problems* The ADP security planner 
must exami^ the attacker* s perJjeption\)f an encrypt , 
tion protected system if he is to select other security 
measures wisely. ^ ^ y 

Key ^Jords: Encryption, data security. 



1, introduction , - 

Over the past decade, growing emphasis has been placed on'security 
for automatic data processing (ADP) systems for three reasons* Pirst, 
ADP hardware and software are very costly. It* is not unusual to have 
value^ densities of $ldOO to $3000 per square foot. Second, many organ- 
izations now use computers to control dai^y operations. If the"ADP 
system ceases to operate for whatever reason, the organization may 
suffer serious losses* Conse<^entl^, security measures to protect 
againslt damage from fire, floods, sabotage and the like hav^ become 
increasingly' important. Third, "^tt is now comnon to find AD^ systtms ' 
which control valuable assets, money, goods, services or proprietary 
information. Most recently, we have seen great interest in protecting 
personal information against improper disclosure. As a result it has 
become importan.t to provide, effective controls over phy^cal access to 
AQJ? '^fr^ources to minimize the exposure to fraudulent tampering with 
data, programs, hardware and €o the theft of information. 

The objective of the ADP security planner is to select an array, 
of security measures with ap attractive c6st/benefit ratio. That is to 
say that the cost of the security program is exceeded by the reduction 
in expected losses which the security measures are expected to bring 
about, makes'this selection ba^ed on the resjilts of a ri'sk analysis,^ 
He first forecasts ,the.loss which each of all possible risks can be 

18 



^ • ■ -24 



expected to cause. (Of course, to make the prpcess feasible, he will 
aggregate similar risks into a finite nuinber of risli types e.g. major 
fire, minor fire, small firei etc/andtie will use simplifying assunip- 
tions^jjd judgemental predictions-) Nexti he /Looks at the expected 
los^^, beginning with the largest oiie, and ^ooks for security measures 
which can reduce the losses at a cost less than the reduction^ so that 
there will be-a net gain to the organization- Thi^sort of analysis has 
led to a general emphasis on physical security measures simply because 
the cost/benefit ratios are more attractive than other more abstract 
security pleasures. As a rule this stems from uncertainty about the 
effectiveness of the more absl^rpct measures- However, 6nce satisfactory 
physical security measures havel been installedi the prudent ftDP manager 
will want to look at other measures like data encryption- 

When contemplating data ehcryptioni there are two' key poin±s that 
one should keep in mind,yTlje first point is that data-encryptior^ only 
accomplishes o^ie thing^ it Snakes the discovery of the encrypted infor- 
mation by an unauthorised person' more difficult and accidentia! ^dis- 
covery becomes extremely unlikely- Itis important to- note th^ distinc* 
tion between more difficult and impossible. Bearing in mind the_ 
specific funcl^ion performed by data encryption, it shbuld be obvious 
that the adoption of data encryption as a security measure di>es not^ . 
eliminate the exposure to other C0fnputer*s6curity ;risks- 

' ' The second point is that the management -of data encryption keys 
will not somehow take care of itself- Explicit procedures, safeguards 
and audits unist be adopted for the management of keys at the, same time 
that data encryption devices are installed. Depending on circiim^tances 
fhe^e costs may not be trivial- It is not uncointion to hfear that an 
access control device for a door only costs X-dollars. No mention ils 
^m^e of the costs to install and service the device, prepare And; issue 

v,special T-D- cards and train personnel in its use- Without doubt the 
^|tej^sort of thinking can' apply to datlh encryption- It seems likely 
mat the cost of hardware to implement the NBS Encryption Algorithm 
will drop dramatically as a volimie^'market develops- The price history 

NDf four^funption' pocket calculators during the period . 1972-1975 
provides an excellent model of a learning ^curve -for large scale inte-" 
gration productionxosts- Therefore, the security planner must guard 
against the tempta^tion to equate the total cost of data encryption with 
the cost of the hardware- ' ^ ' ' 

Given these considerations, what specifically should the computer 
security planner' do Mgarding physical- security as it relates to data 
encryption? ~ ^ ' ' ' . 

2- The Crimiiial's Viewpoint " ' 

* *Let us consider for a moment the problfim that'data encryption 
poses for the criminal asrhe attempts to ga% knowledge stored or 
transmi^ed b^ our computer system- And let's- begin by assuming that he 
cannot extract encrypted data vithoUj; a key. We will assume that analy*- 
tical, extraction of a key is economically arifeasil>le and we will assume 
. . 19' ' - ' ' 




that trial and error extraction of a key is seen.by' the criitiirfal to* be 
more expensive than other, mor^ conventional modes of attack. Our 
criminal jias three choiegs. He can attack the ynencrypted parts of the 
system^ he^can seek to compromise, the-encryjition key Ijy biribery or 
-ejttortion or he^an giye up and go elsewhere. Of c^ufrse, we hope he 
will give up'Sut- bear in nnind that he will do ^gjfcfry if^it'is his 
lowest cost option. €i the desired information isTiot available eise* 
wh^re and the cost of failure ;is greaXgr than the cQst of^uccess/ we 
should assujne that he will continue, his^^ef fofts/* Hence, we should 
first ^consider not hdir valuable the' informatibn is to^ us or how.^great 
our loss would be if it were improperlj^ disclosed but rather what 
teward the criminal gets for stealimg; *it ancJ^jWR^^e else he might go to 
get; the same in*onnation. 

V 

Crime prevention specialists pften*speak of crime displacement* if 
we double the foot patrol in th^ . nirHih o^ecinct-we can cut street 
crime in halH But can we? Sadly, we find that^crime in the neighboring 
pir^cincts has incre^^d ^most pro't>ortioaatelV to .the decrease in tl^ 
ninti^ precinct. Therefore, if our analysis c* the criminal's percep- 
tion of his reward-to-risk-i;^J:io suggests that' he will not choose to go 
elsewhere, we *ould assume^that we have<only displaced/ not eliminatec3> 
the crime. If it appears tkat data encryption will only displace^ the , 
attack to ^on>e other p^rt of the ADP system,"* it would seieiti as though • 
data encryption were of no value. , / * ^ . 

Of course, this- is not the case. The object^ve^of the security 
planner is t6 use each security dollar he spends to prevent as many 
loss dollars as possil^Ie. The way he reduces . crime losses is by making 
the reward/risk ratio less attractive to a prospective criminal. Since 
the operative reward/risk ratio ig the one which applies to the ^ost 
weakly defended part of the ^syst^m, strengthening that part of the 
system will, In fact, re<iyce crime fosses. Jn the ide^l.case, all parts 
of the^ systen would ^be perceived by the potential criminal as having the 
^ame reward/risk ratio.. \ ' 



Analysis of a Typical Case - ^ 

Fdgu^e-^6ne^6hows a specific example of these considerations. Assimte 
that the cf imina^^w^nts- to see the transactions performed by the oper- 
ator at the remote terminal. He Mte five'^reasi^nable possibilities ^ 
(1) subvert the remote terminal operatqr; (2) gbt^in the informatiorl at 
the remote terminal without t^e operator's knowledge from emanations, 
ditecarded printoutf^hidden camera/ etc.; (3) tap the data circuit to the» 
terming ;/(4) subvert the console o^eJator and get from hini a printout 
of the transaction journal for t^e terminal; (5) obtain possession of 
the transaction journal medium. (There are, of course, other more remote 

*In this regard it is J^mportant to understand that generally speaking ^ 
tjie rational criminal is motivateia by his perception .of the ratio of 
his reward to his costs, risk of discovery and punishmen^i^^ut of 
pocket expense, etc- regardless of the ainount'of the victini's loss* 



Terminal "y^ 
(Iterator 




Eemote 
Temdnal 



Data 
Circuit 




Terminal 
« Transactions 
File 



Figure cSne: A repre'^sentative data commuivications •system 
■ showing five points of attack* 



possibilities but these five are adequate to illustrate t^e point at ^ 
hand.) Figure two shows hoii> the criminal is likely to 'evaluate, each of 
-these possibilities with and without data encryption* of the. data circuit 
and the terminal transaction file* The evaluations p^a^d on each of the 
factors are the author's and the reader may not always agree but he will 
probably agree with the overall conclusion* An attack on thfe data cir-. 
cuit is by far the most attractive in most instances* IJhe skillful 
criminal with adequate resources can. arrange the^ tap so that; once it is 
in placet there is no traceable link between th^ tap and the criminal's 
base of operations* As a result^ the dang^^ of discover^^nd punishment 
is much ^reduced compared with attacks on other elements where he must 
physically enter protected areas* He will get exactly the information 
he wants and he will get it in real tfme wbich may be important in some 
cases* * ' * t ■ 

4, * Physical Security Requirements * , 

How will the ^crimitial respond if he finds the circuit protected by 
the NBS Encryption algorithm?" Assuming the algorithm to be uneconomic 
to crac^f he only has two choices; getthe-key or attack elsewhere* 
Figure -two suggests that he witl go after th® terminal unless he believes^ 
he can get the Key itseif* 

* " * * * 

The physical security requirements can now be seen. to be these; 
l*)^^The protection of the remot e . te rminal kgfdnst snooping must 

* ' * » ■ ' , ■ * * 



ERIC 



Targe 



1^ Terminal 
operator 

2* Terminal 



3* Data 
circuit 

4* Computer 
operatoi:_ 

5* Transaction 
, journal 
file 



Real I 
Tijne? 

yes 
maybe 
yes 
no 
no 



Danger of 
Discovery 



high 



fairly 
low 

low 




Jrairly 
low 



Probable Success Preference** 
No D-E With D"E No D-E With EKE 



high 

very* 
low 

high* 



^ow 



highr 4 



very 
low 

«ero* 



fairly fairly 
low low 



zero' 



* Assumes data circuit and journal file are encrypted and 
keys are not compromised* , 

** Probable ofder of preference perceived by the potential 
criminal/ 1 being most preferred an<^^5 l^east preferred, 

D-E = data encryption ' , 



f^igiii'e Twbt The criminal's evaluation of alternate targets, 

■ . ■ ■ .A 

be strong enough to deflect the criminal* Th^e must be no easy «way for 
him to tap into the terminal where text is in the clear^ to pick-up 
electromagnetic or accoustic emanations from tlte terminal, _to get copies 
of printout oi^to place a TV camera to observe the screen and Jfeyboard* 
Obviously; he should not be able to get the key from the termiilal itself* 

2,) Similar measures-must be taken at any point in the computer 
facility where the terminal transactions .can be displayed or intercepted 
in clear-text, ' " 



3*) Methods used to- generate k^ys, carry them ^o the terminal 
to install them must be proof against .undetected coK^romise* 



40 Access to the computer and the te^t^^al must ^ limited to the 
Jt'ekst number of individuals and ^11 such^a^cess must be a matter of 
recorSTt • ' ' . " ^ ' 

1 The last point seems ol^vious but itiay^ have* implications not imme- 
diately apparent* Let us assume that we have installed highly secjure data 
encryption and such effectj,ve physical s^ecrurijty that there "is no direct 
wax to 'get the desired information. At this foint our criminal; might very 
well seek to install his '*tap** inside the computer* Rather than approach 

^ 22 ^ 




' the terminal operator or 9omputer room personnel, botl^v^obvious targets / 
he might try a more indirect route. Without revealing hVs real objec- 
*- tive, he might try to p^tch the coroputer*s control program to allow him 
to eavesdrop on the remote terminal or the key generation process. How 
do-jN^e stop this? Only by complete control over all changes to hardware^ 
system software an<3 applications programs. Obviously change controls 
are ireaningless if they are not impl^iented with credible cont^jois over 
physical access to system resource3- 

5* Evaluating Data Encryption 

* ' * * 

^ ^ A natural reaction 3fc this point is to, question the value of data 

encryption* It seems only to have forced a lot more security measures 
on OS- Of course, thaj is not the point* What we have done is to iden- 
tify al l ^he points at which the information is exposed to criminal 
attack and tried to make all the points equally difficult to sfttack* 
Failing that Ke will simply displace the crime ^f^om the weakest to the ^ 
next weakest point, perhaps at little added cost to the criminal* 

What we must do is to evaluate data encrypjiion .as a security 
^ measure in terms of the kinds of looses it can reduce and in comparison 
with other measures which achieve ,the same loss reductions: We recognize 
that data encryption protects against losses resulting from unauthorized 
disclosure of infonration but nothing more and only protects at the 
points where it is i^sed* * Consequently, we won't expect data encryption 
to solve any other security problems. We can also see that^here are 
other ways to protect the data circuit and transaction journal in our 
'exeanple* The journal, medium (tape reel or disk pack) could be removed 
from the ADP hardware by a two man team and kept in a safe with two 
combination locJcs* Likewise* we cduld^use special pressurized coaxial 
c&ble for the data circuit which alarms if an attempt- is made to tut 
through tKe jacket. As a back-up, special electronics' could measure the 
characteristics of the data circuit and detect the slight electrical 
change^ caused by a tap* ?he reader probably* can imagine additional 
measures* We can estimate the cost and probable effectiveness of each 
of these potential measures .with some confidence* ^ 



The Reason we are interested In data encryption is that in inost 
cases it will be much cheaper than any other potential security measure. 
Once* data encryption has beeai identified , as the most economical security 
measure, we should consider the relative merits of hardware and softwaire 
implementations. Cost differences will depead on particular circumstances 
but hardware has ;a number of advantages. Fraudulent alteration of the 
algorithm is much more difficult and when LSI .is used it will be sub- 
stantially impossible. With well designed hardware / the key will 
"evaporate" if power is turned off or the container is opened, in 
extremely critical applications* the^^.container can be equipped with 
devices to sense tampering and signal key erasure. The security auditbr 
will certainly prefer these features since they are all audita9le. 

This leads us to a final point, we can never be sure that our 
defenses will work as expected tor that we have correctly anticipated i 

/ - 23 . ■ 



2d 



ERIC 



how the potential criwi^ial will attempt to attack our system. For both 
reasons it is important to have an effective audit program whlc^ oper- 
ates unpredictably in both time and space. Both the criminal and in-- - 
hiouse perst^nnel who might be his targets should ^USe^ble to predict 
neither when a given function or area will next be audited nor' how the 
exanjinationjwill be conducted- The credible audit program will decrease 
the criminal's assurance that he will not be caught ^nd so further aid 
,in detering the crime. This is particularly significant when the crim- 
inal would/ except for the au<5it prog<§m/ predict a zero probability of 
discovery, ThuS/ even though he knows ^that an area key^ to his planned 
crime has never been audited/ if he^ knows that it might be Audited 
tomorrow he will think twice before going ahead. 



In summary/ data encryption' will provide a very high level of 
protection for data but other points at which the data are exposed 
must have coinmensurate levels of protection if we "are to ^joy the full 
benefits of data encryption. Security measures used during generations 
distribution and installation of encryption keys should be strong enough 
to discourage attack. All security measures should be supported by a 
high quality\audit progranr with an unp red ic talkie schedule and scope. 
Finally/ management must recognize thg need to analyze all security 
needs in terms of both risk and loss exposure^ and to strive toward a 



balanced, economically soi^d security prtfgi;;^. 



..1 



24 



30 



Computer' Systems Secyrity 
\ and the NBS-DES 
(Beyofld Lii 



ine Encryption) 



Clark Weissman 
.Systpm Development Corporation 

2500 Colorado Avenu^^ 
Santa Monica, California* 90406 



' The*i:ecent amption of the Data Encryption 
StarKfard (DES) by the National Bureau of 
Standards has created signifiycant interest 
i;i the area of cryptography* ■ There are 
numerous considerations to be made when 

'designing a cryptogf^aphic system. The NBS- 
DES mustibfe embodied in a system. employing 

''automatic,* <jown-line kejf m^agement and 
end-to-end encryption to be^truly effective 
in a computer network. This paper reviews 
several fssues in this area and suggests 
solutions. ^ 

Key words: Cryptography, end-tp-end 

, encryption, key management. 



25 



31 



Encryption can do more than proljpct data in transit. It can ^ 
be employed to enhance the security of computer* systems as 
well as to authenticate users, grant them access to system 
resources, an<3 dynamically enforce that authorized access. 
The NBS^DES is an. excellent vehicle ^for achieving these ends 
when used in a system-wide mant^er that--emplo_y-S_aiiiom|rtic^ ^ 
down-^line key management and end*"to*^end eilcryption. ~ 

System Development Corporation is xnvolVed in developing these 
hardwajre^and software encryption techniques and practically 
applyiTig thefli to improve the computer security of Electronic 
Funds Transfer Systems (EFTS) ^ In this paper I review the 
security issues and sj^^est sQlutions, 

' PROTECTION: A SYS TEMS PRO BLEM ' 

Security is a "weak link" phenomenon with ex^bsure arising 
from lTigh--valued assets leaking from*a flawed information 
system through the planned efforts of exploitative criminal 
interests. ' The information system consists of entry/display, 
delivery, and processing subsystems which depend on vulnerable 
computers and software. Coi;i\termeasures must be balaiiced to ^ 
raise the^protection of Veak links" in a uniform 'manner by 
application of a system-wide plan. , ^ 

The plan elements shown in , figure 1 are: (1) a protection 
policy, reflected in the req^uiremehts for the system; (2) 
omnipresent enforcement of *ishat policy by the total hardware, 
software, and people conijpcments of the system; and (3) trust^ 
worthiness accreditation of the system at each stage. of its 
^:).if,ecycle development.' Let us look , at each plan element in 
tUt'n. * * ^ ' 

POLICY PROl'ECTION REQUiREMENTS 

— r 

Protection policy requirements may be geared to counter 
threats from different sources. Safety requirements counter 
failure or accidental exposute of sensitive data. Counter-- 
measuires are based upon using trusted components,, pomponent 
redundancy, and trouble-^detection and backup proceduStes. 

Privacy requirements de^l with constraints placed on author- 
ized users who disclose data inadvert^rttiy. or by exceeding 
their authority. Countermeasures depend on increasing the 
granuMrity and control of information. If users and da^ta 

26^ ■ . , 

•32 ■ ' ' 



ERIC . \^ 




I 

^Pigure 1 



33 



are expiicitly i<3entified and differentiated -in terms of data- 
item sensitivity labe]-ins^ and levels of user authority, control ^ 
^an be imposed to limit access to the least amount of privilege 
necessary to accomplish a job*. Also* the improved granularity 
can enable fine^-grain transaction jourftaling and accounting for 
authorization checks* 

Lastly* security requirements address the sophisticated planned 
penetr'ation attack on the system to steal data or sabotage the 
system,' Figure 2 summarizes these threats and countermeasures * 
Most noteworthy is that human intelligence can seek out or plan^ 
system hardware or software flaws to achieve these security 
.violations. 



LIFECYCLE ACCREDITATION * . ' — 

Once the protection policy is Refined, the resulting requirements 
must be satisfied by the Enforcement system* * Trustworthy en- 
forcement options increase'* with the lead time available' before 
delivery of the system* from future research* through,^ new system 
^ developments, to operations on existing systems. Figure 3 ' f 
summarizescrhe state of 'the art: only future systems show promise 
of solving the securit^ptoblem. However, privacy and safety 
requirements can be adHressed today with procedural and physical 
J^arriers, and with sortie new design ^retrofit, 

Irt future systems* the security policy must be enforced by the ' 
total information system in the enVry/display, network dtelivei^y, 
' and .CPU processing subsystem elements* ^ Since each of these i|i- 
volVQ Computers -and poftware,^ they ar^ all vulnerab le to common 
generic problems. However, the specific nature of ' the tasks * 
for the entry' and cfelivery subsystems makes* the use of encryp- 
tion Quite attractive*. Furthermore, th^ central. processing 
subsystem plays the important support role of ensuring the 
security Integrity ^of the other subsystems* 

PROTECTION ENFOy^MENT IN THE ENTRY/DISPLAY SUBSYSTEM 

User and systemcauthent^-c^tion is tfte principal enforcement 
function addressed by the entry/display sxibsystem* Threats 
^ and counter measures are described below accptding to the in- 
,creasing virulence of the threat* ^ , 

Impersonating someone is the simplest threat* effective on 
systems without mandatory id checks* Thea^ checks' should be 
' m^d^ ^based" on a unique Personal " Identification Nuinber (PIN) 
pnV/- manually entered on the terminal* It ik best for the PIN to i 
^iM!!^ be committfifi to memory and otherwi'se carefully protected, 



PROTECTION l>OLICY: 

THREAT 

1. asset theft, falsification, 
sabotage ' ' 

2. flawfinoinjb 

• • stress system limits. 

• . prohibitions' 

• plan trap ooor,trojanhorst 

• mooify system cooe 

• proce^to process signaling 

* 3. fLaw exploitation 

• by-pass or olsable checks, 
' auoits, recording 

• falsify parameters 

• impersonation user 

• piggy-back oata copy 

' • component substitution 

• operator. user spoof 



SECURITY REQUIREMENT 



COUNTERtVIEASURE 

1. SUBJECT ANO OBJECT OEFIMITION 

■ 2. PROCESS (SUBJECT) ENdAPSLftATlON 
(SECUBlTYPERlMETEp). 

3. SUBJECT/OBJECT ACCESS RULES 
, (CONTROLLED SHARING) 

4. ACCESS CONTROL MECHANISM 
(ACM) , . ' 

5. SELFt>ROTECTlON'. - . , 

• ACM ALWAYS INVOKED 

• ACM OBEYS POLICY 

• TRUSTWORTHY 



Figure 2 " ' 



■ c 



HOW CAN THE SECURITY PROBLEM BE SOLVED' 





HARDWARE 


OPERATING 
SYSTEMS 
AND NETS ' 


*SU(*PORT 
UTILITIES 


4 / 

APPLIC / 
AND DM^ / 


PHYSlCAl ' 
AND 
* PROCEDURAL 


1 EXISTING 
^SYSTEMS 


\ 

IK 






^ :./--■ 


PROVIDE, ^ 
'•'v^'BARRIERS , 


NEW 
DESIGNS 






4 ^ 




* — . 


f UTURE . 
SYSTEMS 

1 




INCRE 
TO SO 
PROBl 


ASING ABILITY 
LVETHE REAL 
.EMS 







7 



Figure, 3 



er|c 



■3! 




^ since it is the basic security authenticator of a user's iden- 
tification-credentials. The user's id (not the PIN), a. 
Personal Account Number (P/^) / and the Cryptographic Check 
Digits (CCD) — an encrypte^^ form of the PIN~can b« written on 
a plastic card which is rfeadabl^ ijy the terminal. Lost or 
^stolen credentials (cards) can be countered by positive ID 
authentication of the PIN against the CCD at the terminal/ if 
it has the "smarts" and the host processor is offline, or 
downstream at the host processing subsystemm if it is online. 
Auxiliary checks axe necessary to protect against aifeered or ^ 
counterfeit credentials. These inclujie -secondary Cfffedentials, 
e.g. J credit cards and drivers* licenses^ or online CCD/PIN 
check at the host processor. ^ ^ ^ 

An unusual, but simple form of fraud involves spotSfing a user 
to surrender "his PIN with "simulated system messages from a 
counterfeit syst^. The best protection apprQa<£h is know^ 
♦ ledgeable, alert users who authenticate the system on the^ 
other end of the dialog based'On a prearranged "handshake" 
of randomly selected data from a user-exclusive data base. ' 

Finally, the terminal itself may be stolen and counterfeited, 
permitting PIN capture and storage for later playback. Phys- 
ical protection is necessary, ihcluding tamper arid disconnect 
detection afid alarm. Logical protection is possible and de-^ 
sirable employing the NBS-DES. DES-keys can be automaS^ally 
erased upon terminal disconnect, •and terminal ID's can be en- 
crypted in transaction messages to thlil^art bogus message 
originators. 

^ ^ PROTECTION ENFORCEMENT IN THE DELIVERY SUBSYSTEM 

Data exposiare from theft of data in transit on the communica^ 
irions^ iirte is^ art -old^^^xeair sal^ed^y— lipe encryption. How- 
ever, the increased use of digital traffic h^s' led to new net- 
worlc architectures using security-^yui^i^j^able store and , forward 
\ switches, packet processors^ communicatibn front ends, and 
value-added network (VAN) processors. TheNold j^ne-tap 
*threat is compounded by^ misrouting of messages., data leakage 
and theft, or message n^odif ication^ ±n these intermediate com- 
puters of the delivery subsystem. Furthermore, simple line 
encryption is insufficient .protection as.cleartext flows 
through these intermediate computers to permit them to perform 
their routing and value-added tasks. The solution is to 
separate message text from control text, encrypting .the former 
(from originator to destination) and having the latter in 
cleartext within the delivery subsystem computers. This con- ^ 
cept of End-to^End Encryption (E ) counters the new network 



31 



f 



37 



threats but requires new hardware and systems^technology to 
perform the "smart" selective text procegs-iag. 

3 

A number of ofcher threats can be addressed by NBS-DES and E 
technology. Encrypted messages may be copied off the line 
and altered or duplicated. for later playback. Protection 
measures include full message text encryption with the text 
containing ioth message sequence numbers and redundancy codes. 
The NBS^DES is cryptanalytically sound to resist co'de- 
breaking threats. Thus, new threats will 'aris« frpm opera- 
tional and management employment of the NBS-DES and E^ tech- 
niques. For example, separately evolving networks will at 
some future tini§ need to exchange data. Incompatible encryp- 
tion algorithms or key management schemes will restrict such 
System interchange. The NBS-DES is fully reversible, and 
all en^loyment schemes should maintain that feature. Counter^ 
argume^its advocating irreversibility based on fear of key 
loss and thef^which can con^romise data, hav^merit;^ how- ' . 
ever, those feaus are besjt addressed* by frequent, automated 
key change. ^ * 

:ey chang>es (weekly, daily, or as needed) limit the 
life" for the thief, but only if such frequent key 
ndt itsfelf expose the keys. Frequent manual 
change ls\j5oth a security vulnerability end. a high-cost 
rmanagemenJt operation for any moderate sized network.. 
L,ess frequenz key change increases key life and theft expo- 
sure.. The solution is iaiit^omated key management based upon a 
secure^ hearty p^rotocol ^Eor loading keys downline through 
the delivery subsVstem itself. One scheme, explored by ;SDC 
for the National Bm^eau of 'Standards., ia the use of smart 
Network Cryptographic Devices (NCDs) cORtrolled'by a Network 
Security Center fNSC) as shown in figure 4 and described in 
the following section. 

THE NETWORK SECURITY CENTER ^ ' " \ 

The NSC is conflicted to the network, like other hosts, via 
a smart enif^ryption device, "^i.e., ah NCD.' The NSC maintains 
a security access control data base consisting of users (sub- 
jects) and network resources (objects), and the access autho- 
rizations of each to the others-. During operation, a user 
terminal or host calls the NSC via ai> omnipresent clear chan- 
nel and requests an authorized connection to another' resourOe 
•(e.g., terminal or host).* The"NSC consults it? ac^cfess data 
base to validate' the authorization for the' cohnection. Since 
the data base is on-line to the NSC, cautious and controlled 
data base change^ can permit revokable access authorization. 



32 * * ' 

33' 



ER?C 



NETWORK SECURITY CENTER (NSC) , 
WITH NETWORK CRYTOGRAPHIC OEVICES (NCD) 



< 1 




Figure 4 



.NCD 









NCD 




TERMINAL 



J 



TERM IN Al, 



AREA ENCLOSED IN i- 
SINGLE SECURE I 
FACILITY L. 

'i • - 



ERIC 



4 



The NSC establishes the connection "logically" with positive 
action by distributing a . "connection" key to the'NCyte^of the 
authorized and requesting parties. This procedure ^lows se^- 
cure, ^dynamic, cisftatioa and termination of ajathorized connec- 
tions. It permits site* mobility of personnel, since their 
"clearances" are centrally stored and accessed at the NSC. 
It offers central n^-wide access auditing, 3vlso, inter* 
operability to other netsL-is possible, with the NSC acting as 
"gateway" to the pther nets or to aether NSC, The NSC-^- . 
proach offers logically separate suDnets to share network 
facilities and cpsts, thereby yielding improved security at 

cojnpet itj-ve costs . 

* - . * 

PROTEjriOH gMFORCEMEHT IH l^E PROCJgStHG saBSYSTEM^ -'?. . " '^'^''*\ 

Protecting the CPU and its software for shared use, is the 
most difficult security -problem. Numerous penetration studies 
and system S^F^ware aud^s o/ ^cu^^ent commercial operating 
systems havjBfestablished without doubt tjieir vulnerability 
to intentirbnal , intelligent attac]<, Hence,> those consideiylng 
shared process'or use , among multiple applications must proceed 
cautiously, "^The best' current Countermeasure is not to-shate, 
bui to dedicate the system to a single application within ^ 
physical and personnel barriers^ Aribther/ less extreme 
measure/ but one with leas security, ^s to prohibit concurrent 
transaction-'oriented •applicati.ions use and scJftware development 
on the same m^chine^ Then/ the' only threat is from and be- 
tween thiei application useirs who are constrained from, genera- 
ting programs, to attack the system by , the language of the 
transaction processor^ It is^ already established that the^ ^ 
data management application system canno^t give 'better security 
than^the operating system under which it operates* but it can 
provide firigr cpnt;i;ol granularity of data objectS'Of Interest. 
Of particular interest, here, is the processing subsystem 
support to the entry and delivery subsystems' security. 

PROCESSING SaBSYSTE^f SECURITY SUPPORT FUNcAoNS 

A user enters -his PIN^an<^\^II> credentials at the terrfiinal. The 
most secure authenticatioiT^s£i£the ID is by the on"line host 
which^ checks the PIN aga4nsttKfe CCD for the desigLnated user 
account- Offline checks atVther than the hosi: exp6se the---^ 
system to organized fraud thatcounterfeits cards and PINs , 
simultaneously. The ho^st^ processor is also necessary to 
detect duplicate, missing, x>r altered messages by checking 
jmessage sequence* and redundancy-check numbers, Furtheinnore # 
the host must see to it that transactions are securely and 



positively acknowledgedT^OJE cou;rse, the host must log all 
trar\sactions and process the log for. huinan audit and analysis* 
Finally, "software source dat^ gind code stored off line must 
be protected* from accidental , or from intentional, but, never-, 
theless" unauttiorized, jnodification* This requires gopd source 
data/code management and configuration tools, which are best 
satisfied for large systems by the host computer itself* 

gUMMA^Y . , ' ' 

In figure 5\^e return to our security' pldn cornerstone, now* 
complete with second^level detail* ^Threatg to computer s^ystem 
seniority are to the system as^et;s by ' exploitation of system 
flaws* All security countermeasure strategies aim to reduce 
the threats by feliminating assess (e*g*, data encryption), 
eliminating exploiters (e*g*, background investigations, 
bonding), and/or repairing weakness {e*g*„ new design) , New 
designs are now possible with the NBS-DES, \NSCv and NCP, 
which enploy the new techniques of DES J^y distribution and 
end-to-end encryption* 



CORNERSTONE OF A SECURITY PLAN 



REQUIREMENTS 
• SAFETY (ApCIDENTS) 
• PRIVACY (BROWSINGJ_^ 
• SECURITY (AHACK) 




LIFE C/CIE 

• EXISTING 
OPERATIONAL 
SYSTEMS 
, • NEwl 

'DEVELOPMENTS 
• FUTURE 
RESEARCH 




SYSTEM OF SUB- 
SYSTEMS 

• ENTB.Y AND DISPLAY 

• OELIVERY 
(NETWORK) 

• DELIVERY (CPU) 



42 Figure 5 



Considerations in Applying 
an Encryption ^Device to a 
Communications Network / 



Batrie Morgan 
Datotek/ Inc. 
13740 Midway Jlo^d * 
Dallas, Texas 75240 



This paper outlines the basic consjd-^ 
erations which must be met in applying a* 
data encryption device to^a communications 
network. Although the following informa- 
tion applies topmost enciphering devices, 
the DES algorithm does have several unique 
features which merit special attention. 

■ -t 

Key words: .Cipher feedback; codebook foiSm; 
. forbia^den characters ^ 



1 . Introduction 
* . 

Th6 recent adoption of the Data Encryption Sta^clard 
(DES) ^by the National Bureau of Standards has spurr^fedjnany 
potential users and suppliers of dat^encryption devices to 
investigate the application of thlg^tan^ard. <iAs previously 
discovered by many engineers and cryptographers knowledgeable 
in the area .of secure communications, there are numerous con- 
siderations to evaluate when applying an enciphering Se^ice 
to a communications network. Tfiese considerations apply not* 
only to the DEls but to data encip^ierment in general. The \ 
DES (basically a blocH cipher) presents several** unique prob- 
lems when. applied to a network which may or may^ not be block 
oriented. - * . . 

"All. the parameters" which must be' appraised In securing 
a communications network are too numerous to cover un detail; 
however, some of the more prpminenc parameters are: 

Initial iza1:ion * * ^ " 

Suppression of forbidden characters, in the ciphei^- 
text _ . • * 

Synchroni zation JL-f- 

Error rate, apd^ recoVefry . 

} ■ . ^ 38 



43 



2, Properties of a Block Cipher 

The DES, as adopted, describes a mechanism by which 64 
bits of input data are operated on by a complex iterative 
algorithm to produce 64 bi'ts of' cipher, Jn the case o'f com- 
puter file enciphering, it can be seen that this algorithm 
works qui^e well. For example, assume one wished to encipher 
a fil^ consisting of 64-bit words as shown in figure 1, Each 
word is* pulled from the file, enciphered by the DES and, re- 
placed, Noti^pe that each word of the file is a separate 
entity and can be enciphered one at a time in any order. The 
fac;t t^iat each file word is handled separately provides the 
user with a great deal of flexibility. Enciphering carf occur 
in sections. The enciphered file words can be rearranged, 
and portions of the file can be deleted with no effect on^ the 
Subsequent deciphering, ■ - , ^ 



COMPUTER FILE 



64'8IT WOROS 



J 



"I 



. DES 



I 



Figure 1, 



When .used in this manner, tfie* block ciphSjr requires no 
Special initializatit^n or synchronization. Errors are un- 
likely^in such a local process, 'and forbidden characters 
(illegal combinations of bits) ^normally do hot present a 
problem in a'*data' file, Theis^^gre, the block ci]^ering method 
seems to be an ideal approach for" pr6tecting a computer^ file , 
The problems appear when the secure file is transmitted, ^ 

3-, Considerations in Secure -Data Transmission 

Let ua assum* that the' problem is not ^merely to encipher 
a sensitive file but to transmit it via a computer switch, 
from location A to location and to protect it from unauthpr-^ 
ized eavesdroppers during transmission. Normally the words 
are conpatenated to form a serial bit stream which is then 
t 39 ^ . ' * ^ 

4 J' 



; embedded in d format required by the protocol of the switch- 
ing computer.i In figure 2, a simplified diagram is shown 
utilizing a Key Generator ^KG) in the conventional method of 
enciphering 3aach a bit streaio. The data bit stream is pre- 
sented to the imDdulp-2 adder simultaneously with a pseudo- 
random bit stream produced by the KG. Each data bit and key 



COMMUNICATIONS 
CHANNEL 



INPUT 
DAtA 




^RecoveRED 

^ DATA 



Figure 2% 

* 

bit produces a cipher bit which is transmitted via the com- 
munications .channel. At the receiving device, the inverse 
- process pccurs. The '.incoming <:ipher stream is modulo-2 added 
with the identical key stream (identical to the key stream 
used tp encipher .the data) and the original data is repro- 
duced. 

, Next let us consider the format of the message shown in 
figure 3, Prior to transmitting the^^secure data file, a 
header must be transmitted which instructs the computer 
switch as to the proper routing of t^e message. This part 
of the message must remain clear (uhenciphered) . An indica- 
tor denoting the beginning of the^ta file or the start -of- 
. text (STX) is used by the KG to start the enciphering process. 



HEADER 


S 


RANDOM 




E 




T 


START 


* SECURE DATA 


T 


TRAILER 




X 




X 





Figure 3. 



, To synchronize' the two key generators cryptographically / 
a "Starting point must be identified by , both the receiving and 
the transmitting* devices. This is' usually, acc6mpli*shed by 
letting the transmitting device generate a random starting - 
point. This random start is transmitted to th^ receiving 

■J. .\ 40 ' . ^ 



is 



end to enable the two key generators to begin at the same 
random "boint. This prov,ides additional security to the sys- 
tem* The random startling point guarantees' that identical 
messages enciphered with the same key variables always pro- 
dupe different cipher* This is particularly important if the 
messages are highly fprrnatted and are.similS^^ in content, 

- After the starting-point is established, the KG' s are 
stepped in ' synchronism as' some function of the data, or of 
the modems. Finally, the and-of-text (ETX) halts the enci- 
pheri^ng process and allows the trailer of the message to be 
^transmitted in -the clear* ' ' 

* * 

From this, One example, most of the basic problems of 
adding encryption to a communications channel can be illus- 
trated* (The following summary applies to data encryption 
in general and not to the DES specifically*) 

3. 1 Initialization 

The header of the message must be clear' for proper com- 
puter routing and 'the enciphering is initiated by the* STX 
character. The random starting address completes the re- 
quired initialization of the KG's. 

3.2 Forbidden Characters 

Control characters normally are reserved for control of 
the communications channel. Therefore, it is required that ■ 
bontrol'characters ^(fach as STX, ETX, etc. be transmitted in* 

, the clear* Conversely, no control characters should appeaf" 
^n the enciphered text. The occurrence of these cSonfcrol , 
characters in the cifjher' could cause spurious and enr.^tic ^ 

<bperption of the channel and the computer switch. 

3.3 . Synchronization 

Onfce the key generators are sta;|ted, they must be ^incre-* 
mented or stepped under control of the ^ata or by the modem 
depending upon the type of transmission.' Normally, the data 
start-bit is used to step^the KG's in asynchronous channels. 
In synchronous cl)annels,^he modent clock provides the step- 
ping signal. In either case, if a character or a bit is 
dropped during transmi^ssion go that the KG's lose synchronism, 
the remainder of the message willvbe indecipherable. When 
this happens, the' ETX will not be recognized by the receiving 
device and the KG will not be switched otf. Some recovery 
procedure must be initiated to start the transmission again^ 

3.4 Error Rate and Recovery 

'■ ' ^ ' ' \'. ' ■ . 

A Single bj.t error in the*cipher occurrirr^ during trans- 
mission will/6a&^ a single error in the deciphered data. • 

. ' ^ 41 \ ~ ' ♦ 



ERIC 



However, if a bit i,s dropped (or added)"^ causing the two KG's 
to get out of step, the rest of the message will be lost. It 
is essential to activate a recovery procedure, usualXy a tijue^ 
out^ then restart the transmission, 

4., PES in codebook Fori^ . . , 

fodebook form* refers to the DES as publisl^d in the* 
Federal Register in that a e^bit data word^ i^' applied and a 
64-bit cipher word is produced,^ When operated in this fashion 
the DES is somewhat analogous to a larjge look-up tible or code 
book. If the same 64-bit word is applied repe^tedl^ to the 
input, •the s^me cipher is produced^ This will continue until 
the key variables are ctfenged. 

Most of the basic problems mentioned above remain when 
the DES is used in the codebook form. Notice in figure 4 
that the KG has been replaced with the DfeS algorithm, A 
64-bit register has been added to acciamulate the serial data 
bits and presents them to the DES in parallel for enciphering. 



DATA 



^ REGISTER 



DES 



MODEM 



T 



COMMUNICATIONS 
^ CHANNEL 



REGiSTER I > | MODEM I 



Figure 4 • 



REGISTER 



DE$ 



REGISTER h-^'^SS^^'^". 



The requirement for initialization still exists since 
the header and the trailer must remain in the^ clear. However^ 
the random starting" address used by the conventional KG ap- 
proach is not meaningful when using the DES because each 
64'-bit block is a separate entity. This is one of the char^ 
acteristics of the DES, which should be considered by t?he user 
The cipher produced is solely a function of the ^^bits pre- 
sented and does not depend on previous blocks. Messages which 
are highly^ formatted such as Electronic Funds Transfer (EFT) 
will produce the same cipher if the same input is applied. 
This maV produce "recognizable cipher** ^n certain portions of 
the message which may not be Acceptable from the security 
viewpoint, . ^ 

The forbidden character problem is still present and is 
complicated by the fapt 4:hat the cipher being produced in 
blocks is not necessarily character oriented^ 

42 



Synchronization still remains critical. If a bit is 
dropped <?uring transmission, the remainder of the message 
will^be ?-Ost since the- receiver will be operating on the 
Vrong* 64*-bit block. The same type of error recovery proce- 
c^ures described -above will be required. A single bit error 
now, generates a"64-bit burst error, t)ecause the .algorithm 
operates on each 64 bits as a block. A single bit error in 
the block produces a deciphered block which has little* r^- *a 
semblance to the "orig^tial. 

A final problem in applying the DES occurs when the 
■ message is not an even multiple of 64 bits in "length. The 
qbntroller must recogjiize this situation ahd provide enough 
*fill bits to complete the block- 



s' ■ 'DES in Cipher Feedback Mode 

Some of the shortcomings of the codebook. approach, can 
be overcome by using the algorithm in an entirely different 
configuration. Figure 5 iLlusfcrates the cipher feedback 
mode of the DES. Here the DES is used (more or less) as a 
key generator. The output of the DES is modulo-2 added to 
the data to produce ciphertext. In this case, the key and 
data are added character serial/bit parallel. The cipher- 
text produced is transmitted and at the same time loaded into 
the input register which supplies the 64-bit input to the 
DES- The previous contents of the input register are shifted 
eight bits 'to the right prior to loading the new ciphertext 
character. The DES now executes another Cycle and uses the 
first eight bits of the output to encipher the next eight- 
bits of data. The other 56 ^ts are discarded- This process 
continues until the input register has been completely loaded 
with ciphertext. Notice that the receiving device is con- 
nected differently in tjhat the ciphertext is fed directly 
intq the input register. As soon as the input registers in 



INPUT 
DATA 



BBIT 


56 BITS 










DES 




--4 


B8IT 


56 BITS 




DISCARD 



CIPHER CIPHER 
\ 

COMMUNICATIONS 
CHANNEL 



1> 



BBIT 


56BJTS 










4- 

DES 
. 








' 1 


BBIT 


56 SITS 




^ RECOVERED 
^ DATA 



Figure 5. 
43 



ERIC 



both the transmittin^apd the receiving devices haVe received 
64 bits of cipherte^tft, they will start producing identical 
output. Enciphering continues ±n this manner on a character- 
by-character basis, I 

What advantage does this configuration offer? The most 
obvious advantage is that the two units are self ^^synchronizing 
All that is required 'for identical output is identical content 
in the input register; Since the input register in each 
device is being loaded with the. same ciphertext, the output 
of each DES is the same. Should a bit be dropped during 
transmission, the receiving unit will generate invalid output 
untyr^he input register has been properly filled. Therefore, 
we see that the loss of a ^it does^not cause tJie^ i^emaincjer of 
the message to be lo5t, but only a'64-bit burst^ error gen- 
efated. Unfortunately, the DES reacts to a single. bit error 
in exactly the same manner. In other words, each single bit, 
eirro^r produces a 64^bit burst error, ThisNis referred to as 
the "error multiplier" or '^error extension" of ^he- system, 

To initialize the cipher feedback ^fiod^, tJie mes^^ge must 
be preceded with eight ,dmniny (preferably random) fill <:har- 
acters. The message format using the cipher/ feedback mode 
may appear as shown in figure 6, Again, the clear header is 
necessary -for computer switching, an<3 the STX character can 
,be used to start the. enciphering pro<5ess/ The ^ancjom fill 
guarantees that the input register hag, sufficient data to 
.start generating valid key. These eighty f ill'characters can 
W ignored or discarded by the' receiving device. 



HEADER 


S 
T 
X 


RANDOM 


, 

SECURE DATA 


-r 

T 
X 


TRAILER 



Figure 6, ^ ' ^ 

The forbidden' character problem is still. p:t:esent, but 
since the ciphertext is being generated" on a character-by- 
character basis, additional circuitry can be included to 
suppress unwanted cipher characters before transmission. 

This configuratpn offers the distinct advantage of 
being self -^synch^fortizing at the expense of loss in potential 
throughput. On high speed*' c ircuits, the maxiiuum throughput 
of the DES may become more critical in cipher feedback mode. 
Since each ^ciphering cycle of the DBS produces only eigjut 
bits of ciph^ instead of 64 bits of cipher as in the code- 
book configurajtion, higher speed is required to produce a 
"given data raj 

44 



ERIC 



49/ 



■ ■ c 

6 . Conclusion ' 

The DES algorithm approved^ by tlie NBS *is significant 
step toward standardizing the encryption of data transmitted 
over communication^ channels* However, the algbri£hm itself 
is only one of thfe requirements needed to implement vsi secure 
data sy^em* Although the Standard as adopted.^ is readily 
adaptable to enciphering file data, numerous variables and t 
options remain as to how .the- DES is to be applied to a - ^ 
switched network. The cipher feedback mode does make the 
DES more readily adaptable'to^ the .telecommunications^ environ- 
ment- However; more standards iftust be adppted^ before -totally 
compatible networks are ensured* 






v .... ^ 



so 



' I Managemenc bf Encryption Kejrs 



David J. Sykes 
Honeywell Information Systems^llJic, 
I .P. D. Box 6000 ^ 
Phoenix, AZ 85D05 



/Item 



. In'a system where the details of the encryption 
algorithm are' publ icly known, the overall security of 
the system t& hfeavily dependent on the security of the 
keys. This paper discusses the various aspects of key 
management such as key generation, key storage, key 
distribution and key loading. Techniques to perform 
these functions are described with emphas'is on data 
^ communications applications, father than recoi^nd a * 

/ general -solution to the key management problem, nymerous 

factors are presented for colisideration by the system 
planner. The need/Tor a trade-off between complexity 
and practicality in a real world environment is stressed. 

Key words: Encryption Keys; Key Distribution; Key 
— -GeneratioiTi Key Loading; Key Storage. 



1 . Introduction 



■fhe NBS algorithm is based on a 64 bit key. The key cafr exist 
ohysically in the form of manual switch settings , a series of bits 
-^ored in a memolry, holes in a punched card^or bits recorded on a 

magnetic stripe" card like a credit card. Of thenS4 bi^s, 8 are parity 
, bits and as such are determined by the other 56 bits. The nunfcer of 
possible keys is 2 or approximately 7.2- X 10^^. .The strength of the 
NBS algorithm is based on the large number of possible l^ys conbined 
y/ith' a non-linear enciphering process. A goifd key management system , 
must therefo^g make proper use of the very large number of keys 
available. ' • 

Now thaj the NBS encryption algorithm has been adopted, and 
several devices based on it are appearing in the marketplace, the 
subject of key management becomes very important. If we assume the 
adversary knows all about the algorithm, its'implementation in your 
system, yoyr opewting procedures, the.knOKjedge of the keys is the 
only critical thing he does not have, H has bes,n accepted that the 
determihation, of the key by trial art9 err&K^s not economically 

46. • , 



\ 51 

ERIC - \ 



tr 

— ■ — me 
/ su 



feaslHte, and consequently the criniinal must resort to methods of 
direitly obtaining the key. This paper addresses the methods of safe- 
guarding the keys duriag their generation, storage, distribution, 
loading and han^litng, 

,2, Gfeheral Principles 

There are no standard methods, for implementing'key management. 
Each organization must plaij and implement i^s own system based on the 
particular risks and consequences of a key being discovered and ased ^ 
by an unauthorized person* It should be assumed that there Is col- 
lusion between a person inside the organization'and a person on the^ 
outside, ■ . . ' 

quantitative assessment should be made and a'key management* 
scheme tailored accordingly. In particular, the differences should 
be recognized between a communications application where the keyycan 
be changed frequenily, and a media encryption scheme w^ere the keys 
need secure stot^e during the va>uable life of the data. 

Whereas the encryption algorithm and iU-'fflf^'"Tementation details 
will be publidly available, all aspects of^Aey management should be 
kept ''secret*' within the organization. Only the^inimum number of 
trusted^employees should be involved in key management. A welVthought 
o)t plan should be made, and tight discipline enforced, A key manage- 
nt scheme, which is loosely handled ^\^] produ(^ chaos and could re- 
sult jn a reduction in^erall security, A trade-off should therefore 
be made between additional complexity and the need for smooth day to ^ 
day operation, ' - • \* 



.^3, Key Generation ' f ^ . ^ 

Keys themselves should be unpredictable and changed as frequently 
as necessary {based on risk assessment). It may be better to. change 
them at unpredictable times. It makes the criminal's job easier if he 
knows keys are changed at the sane*t1me on the same day each week. 

Any temptation to relate jjejjs to dtlier entities Csuch as r^ames, 
, dates, I,D* numbers) should be avoided. Neither shouW keys be 
chosen so as to form an easily memorized sequence of characters. This, 
would limit the Tiumber of usabl^keys to a quantity far less th^ the 
' maximum. The keys should be generated so as to be, statistically in- 
dependent and uniformly distributed over the range 0 to 2^ i,e., there 
should be an equal probability of any key being generated as shown in 
figure 1, Computer programs which always generate the same sequence of 
random numbers obviously should- not be used. Instead, programs using a' 
variable seed obtained from an external source provide a much superior 
method. Note that the key generation must be done on a 5§/bit basis * 
and 8 parity bits added subsequently because a 64 bit random nurrfcer* 
would be rejected by many encryption devices if the key parity chgck 
failed. Figure 2 shows a simple scheme for generating keys, A ^ ' 



' 47 



ERiC 



52 




Key (k) 



Figure 1 Uniform Distribution of Keys 



V 



■ Key 
Generation, 
Ptogram 



Call 



I 



Keys 



Random Number 



Random 
Number 
Subroutine 



1 





Seed 






Counter 







Figure 2 . Key Generation 



48 



53 



hardware counter running at several hundred kHz and in no way syn- 
chronized to the processor is read by a random /lumber subroutine,/ The 
counter contents at the time of reading are Msed as .the seed for the 
random number- generation* Since the time at which the subroutine is 
called is random rel-^tive to the counter, the'seed i5 totally unpre- 
dictable, "in ma^y systems the time of day clocfc ean be usetTas the 
source of a seed* _ " • _ * * 

^ ' i 

^ Random number generation is asubject in itself. Reference [1] 

gives a good overview of the topic and also discusses methods W.jtest- 

^in^ the randomness. This refer^ence also contains an extensive set of 

further references, ' * 

Needless to say, the Icey generjation program must itself be care- 
fully scrutinized to ensure- there ^re no inputs or outputs other" thian^" 
the intended ones. Also, the key generation program must^e run under 
strict supervision and memory u^ed during l;he key generation process 
should be erased after use, }^ 

4, Key Storage ^ 

Once keys have been generated they should be stored in a protec^d 
area of memory until use. They should not be printed out unless 
at>solutely necessary. The time keys, are in storage should be. minimized 
by generating them as late as possible. If long term ^torajje is un- 
avoidable (as in the case of file encryption applications) the keys 
themselves- should tje encrypted with another "master" key. This latter 
key should not be resident in any part of the system, ^ 

5, ■ Key LPading ^ ■ % 

The^.au;^ four basic method^ by which a key can be loaded into the 
encryptiqrNgev^ice, Not all ai:e available in the marketplace^; theV only 
indicate possibilities. 

5.1 Manual Switches 

Most of the first. available products wijl use this approach, 16, 
hejcadecimal switches can determine 64 bits. Since this 1^'hex digft 
number^-wiU be difficult to remennber, it must be written down on paper 
which must be properly safeguarded. The devices shc^ld be locked up 
out of sight within a secure area, ^ * , , 

5.2 Plug-in Mo(iwles 

A small module Containing read only memory can be used to convey 
the key to the encryption device. Once the_,ROM's have been programmed 
under strict Security <5ontrols, the module can be handled" and the key 
loaded into the device without anybody knowing the actual key. 
Furthermore, compared to a device with manual setting, changing the 
key is made (nuch more/lifficult for" the criminal. ^ < 



V 

49 



'5 3 Magnetic Stripe' ' ' 

I 

This method is less expensive thajfl the ROM above and still has 
the advantage that the key is riot vi^nb^e to the person handling it. 
The magnetic stripe reader may be built into a terminal device or can 
be in the form of a separate portable flevice only accessible to persons 
authorizeti to handle the key. 

5.4 Electrical Interface 

ilf the device is physically adjacent to (or built into) a com- 
munications processor, tlie Key can be loaded via. an electrical con- 
nation ^0 the processor r I/O. Thi^enables the keys ^to be transfer- 
red from tabl.es in memory to the device without human handling. 

An expansion to this nttthod is the transmission of the key dowtNa 
communication line to a remote encrypti^orj device. Obviously special 
precautions ^lave to be taken in this mode. 

6. Key Distr*>bution 

There are only three basic ways of distributing keys: 
6vl RegiUere'd mail with its attendant risks. \ 

6.2 Courier, which fbr a price, can be as secure as desired. 

6.3 Dowja liffB load which is very dangerous unless the new key is 
encrypted with a special key which is never transmitted over 
the line. Encryption of the new key solely by the currenj key 
is not recommended for obvious reasons. 

^ One way not to transmit keys is verbally over the telephone. One 
may become so prebctupied with the security of the data link that a 
little tarelessness when talking on the telephone could easily give 
away the key. 

. ■* 

7. Link Encryption ' * " . 



use 



Link encryption is probably the method most users will elect to 
in their first encryption applications. This is because it will 
be the method which has the minimgm impact on hardware and software 
in existing systems. Keys will be set manually in most cases, and 
the rules mentioned earlier must be observed. 

If dedicated lines are used, which is the preferred way, l|iere 
-srhould be a di.fferent key for each link^ and possibly a different key 
for each direction pf traffic on the same link. 

_ If dial-up lines are necessary because of a high ratio of termi- 
nal! to ports on the communications processor, then each terminal 
should have its owfi key.- Figure 3 illustrates a S'ubset of such a system. 



50 

55 



Switched 
Netwo'rk 





Kl 


• • • 

* * • • 


Oh 


K2 


V*' •• ••/ 

•* • * 

a*^ aa*C^*aa* mftmm a Baal 




K3 


A.A. 

aaaaaa a aWt* a a ■ ■ artBBB*BBB4 

/•••. *. 


f .-"^ 


- / ■ • •• •• •.K 

•* * 

^ 


< / 


Terminals 




Encryption 
Devices 



KA 



KB 



KD 



COMMUNICATIONS 
^PRXESSOR 



0^ 



f . 



Figure 3 Key- Management ip a Swf^g^ed Network 




ERIC 



51 



55 



The keys Kl through K4 have been previously-inserted in the 
terminal encryption devices, and a table mapping LD. and keys is, 
stored at the central site. A terminal first identifies itself in the 
clear, 5nd this enables the network processor to set the appropriate 
key into the device associated with the (jort to which th^rdi^ con- 
J nection is made. When the call is completed, the key is erased from 
/ the device at the central site, 

8, User OrierTtefl Keys"^ 



ERIC 



^ In sonie cases it may be beneficial to have user'oriented keys, 
instead of, or in addition to, dev,ice or link' oriented 'keys * With 
this approach, each user has his own key* He may or ma^y nof^now 
the actual key depending on'^the form of handling. 

^ In d^EFTS application the key can be in the form of a Personal 
I,D, nurriber (PIN) which i^ us^d to ehcrypt the Personal Account \ 
Nunt^er (PAN), The resulting encrypted PAN is then further encrypted 
by using a device oriented key. If the PIN has to be entered via a 
keyboard, the user must know the PIN. 

Another scenario ,for user ori-tfnted keys is wh&j^ a high level of 
security is required. Each user has a key on a magnetic card, and 
the caird is surrendered to the guard as the user leaves the secure 
area where the terminals a>e located, The^tiser doep not know the key 
nor does he know when it has been, changed. To gain access to the 
system, he fi rs_t" identi fies himself in the clear and then after in- ' 
sertion of his fe^y, switches t6 encrypted mode,' He then enters his^ 
own password, date and time of day Vhich atsp encrypted and trans- 
mitted to the central site. He is only permitted to continue his" 
dialog if<*the passiSiVd decrypted by the key assigned to him checks 
w^th the password on file. The time ahd date is also^^ checked to 
guard against the possibility o*f a recorded message (peing played back 
into the system at a later time via a™^tive wiretap)^ 



9, Composi te Keys 



In cases where very special precautions have to be taken^ the 
concept of composite keys can be emplpyed. The actual key ^jsed is 
deri-ved^from One or more keys by some simple process such as modulo 2 
acldition. The encryption equipment must be designed so as to perform- 
this operation prior to loading of ^e actuaT key into the encryption 
ch'Hp, The individual keys can be hajidled by sepaVate persons or one 
key can be user oriented and the other device orie^nted. EacV ICey must 
be the full length. Giving half the key^ to one person and half to 
another would drastically reduce the security level stnce the ratio 
2^6 to 2^ is the same as the ratio of 1000 yeS^s to 10 minutes. 



/ 



52 . 

57 



I 



10, Summary 



Key management schemes must be tailored to the needs cf the' 
individual organization. One can conceive of "ultimate'^ solutions 
using end to end encryption with key generation and loading performed 
automatically by a computer assigned to the task. It will be several 
ye^rs before such schemes can be considered a reality, and in the mean- 
tinie we will have to use more down to earth approaches^ Human beings 
will be heavily involved iti key management, and as iirany security 
situatfon, careful, step^s must be taken to ensure their integrity. 

In practice it will be necessary to sacrifice extra complexity 
f or^ the sake of smooth operation. In. addition to careful planning, 
tKe)chosen system should.te thoroughly tested and particular atten- 
tion paid to what would happen in abnormal situations such as loss 
of a key or recovery; from a system crash. 

All possible eventualities shjEuUd be considered and a compre- 
hensive set of rules established. A tight discipline must^then be , 
enforced: 



A final* reminder, if the key management scheme is^ not designed 
properly or adequately enforced, ^the result could not only be 
disastrous from a security viewpoint but the viabilit^r of the entire 
system' may be jeopardized*. 



Reference , 



[1] Chambers R.P., Random Number Generationy KE.E.E. Spectrum . 
February 1967. 



JiTv KE.E 



5J 



ERIC 



53 



■I 



1/ 



DesiqLn and Specification 
of Cryptqjjfraphic Capabilities' 



Interbank Card Association- 
Carl ^I^Campbell, Jrr (Cortsjultant) 
809 MalinRlJad, Newtown Square, Pa^ - 19073 

'( -.' . 

^Cryptography can be used to provide ' ^ 
data secrecy, data autheal^ication, and 
originator authentication* Non-reversible ' , 
transformation techniques provide only the 
last. Cryptographic checJc' digit provide 
both data and originator authentication, ■ 
but no secrecy. Data: secrecy, with <?r 
without data authentication, is provided 
by block 'encryption or da1|a Stream encryp- 
tion techniques. Total systems security ^ 
may be provided on a lipk^by-link , nod^- 
by-node, or end-to-end basis, depending 
u^orj\the nature of the application. 



Key words; Cryptography; data security; 
encryption . ^ ^ , 



1. Introduction " ^ , , 

dp to the present, cryptography has been a relatively 
unknown science,, used primarily to secure sensitive govern- 
mental communications. However With the introduction bt the 
Data Encryption Standard (DES)*we expect- to see cryptography 
widely 'appliei^d^in^ data process ing systems , especially in 
digital cotnmxjniicatrxbns , to provide data security. It ,is 
thus essential that the design&ts^of these systems gain an 
^>(jnders"tanding o-£' this new 'technology. - ^ 

2. V t/ses.of Cryp.tography' 



Cryptography can he used to pwjvide three 'aspects of 



data security; J 
(l) Data secrecy. 
( 2) Daftga authentication* 




54 - ^ 



(3^ Ori5inatdr authentication. 



The' first- use .of cryptography, data secrecy, is rela- 
tively well understood, and witT'l^^^airtrnportarit use in an 
EDP^nvironment . 

Data authentication and originator authenticati<5ix are* 
les& understood, but will b^ verV important uses of cryp- 
tography in the future. To understand data authentication, 
assuirip that "A'* *is transmitting data to "B." *'B" wants 
assurance that the data It is receiving is precisely the 
data which "A"^ transipitted. Though conventional error con- 
trol techniqp^s ca^i protect against communications errors, 
"B" is concerijed that someone with a sophisticated "active 
wiretapping" ^capability may have deliberately modified the 
data ttom "A," and lAade the appropriate modifications in 
any associated* error- control fields. Cryptographically- 
^implemented data*^ authentication provides assurance that the 
data was received as originated. 

Originator authentication is similar to data authenti- 
cation. This time "B" requires assurance that it is receiv- 
ing data from the "real 'A'" and not from an impostor who 
may have assumed "A's" identity, ^gain, cryptography can 
f)rovide the solution. 



iThefe e^re an almost unlimited niamber of ways in whic 
cryp^graphy can be applied. Some applications meet only 
one OE two of the above objectives, and some meet them all. 

3. Originator Aut^^entication 

A ^simple use of cryptography meets only 'the third objecr 
tive, originator authentication. In this approach, figure 1, 
.each authorized user of a system is given a secre-^ "authori- 
sation code. " Each terminal incorporates .a cryptographic . 
capability into which he enters this code. The eode is "non^ 
reversibly' transformed"* into another code. This means that, 
given the tiransfprmed code, -Siere is no way to determine the 
actual code except tor an ^haustlve "trial and error" proce- 
dure, which is presumed to be non-feasible i^ the original 
code is quite long (approximately 56 *bits) and reasonably 
random^ The system's central processor stores, in a manner . 
which may be non-seeure^ each user's transformed code. A 
simple cp^npa^ison is -thus sufficient to -authenticate the 
user * ^ ^ ^ i ^ 

-J 

Note that this approach does not "require a unique ter- 
minal key, so imposes no, "key 'management" requirements. Note 
also €hat it does not require auy on-line. cj^yptographifc capa- 
bility at the central facility. 



55 



NON-REVERSIBLE 
TRANSFORMATION 
FOR USER 



FIXED 
PAHERN 




DES 
I 



KEY 



USER'S 
AUTHENTICATION 
CODE 
. « 56 BtTS 



TRANSFORMED 
CODE 



NON-SECURE 
CENTRAL FACILITY 



TRANSFORMED 
CODE FOR 



THIS USEir^^ 



hi 



MEMORY 



COMPARISON 
VALID/INVALlD 



Figure 1. 



* 56 



61 



4. * Data Authentication 



A very useful cryptographic technique, cryptographic' 
check digitsi provides data authentication and can provide 
originator authentication , but provides no data secrecy. 
Cryptographic check digits may be likened to parity check 
digits or to a cyclicj^dundancy rheck in that a check field 
is added to the meswSge by the originator and verified by 
-the recipient. However, /unlike a conventional error^control 
check field, the cryptographic check df^it field is genera- 
ted by a cryptographic algorithm and utilizes a secret key 
known (desirably) by originator and recipient alone. Thus 
the field protects not only against accidental garbles, but 
also against deliberate attempts tomodify the transmitted 
data* Without knowing the secret key, the one attempting 
such data modification would be unable to make the appropri- 
ate changes in the cryptographic check digits field which 
would be required for his modification to escape detection. 

Note that originator authentication is provided if 'the 
recipient is certain that only the authorized originator 
posesses the secret key: 

{ 

* DES may be used to generate cryptographic check' digits, 
as, for example, is illustrated in figure 2. Each group of 
64 message bits is passed through the algorithm after beirig 
combined with the output of the previous pass*. The fiaal 
DES ou'tput is thus residue which is a crj^ptographic fxmc- 
tion of the entire nStessage. All or part of this residue may 
be used as the cryptographic check digits. 

\ 

Cryptographic check digits aione cannot detect th§ 
fraudulent replay of a previously valid message, nor the de- 
letion of a message. To protect against these threats, each 
transmission of a message must be made unique.. One technique 
is to insert a cryptographically-projiected sequence number 
into the messagpO^Another is to use a different key for each 
message. 



: messagev/j! 
/ / 



5. Data Secrecy 

^ Secrecy of transmitted data may be provided by a nimber 
of techniques, some providing data authentication and sonie 
not. All of the suggested techniques utilize a secret key,, 
and so provide originator authentication if this key is prop- 
erly controlled* * ' * ' ^ 

^.1 ' Block Encryption 

The Data Encryption Standard is inherently a block er^- 
cryption algorithm, requiring blocks of precisely. 64 bits. 



CCD GENERATION 

DATA (ORIGINATOR) AUTHENTICATION 



TRANSMITTED 



I 



MESSAGE 




CCPs 




f 




i 




CRYPTOGRAPHIC 








PROCESS 


RESIDUE 



Figure 2. 



58 



Given a plain-text block of 64 bits, a secret .key,, and the 
"encrypt* command, the DES algorithm produces 64 cipher bits. 
Given these 64 cipher bits, the same kej< and the "decrypt:", 
command,, the algorithm produces the original 64 plain-.text 
bits. Thus, as ;Long as the block size is exactly 64 bits, 
block encryption -with DES is extremely simple. ' ' . , ' 

Short blocks . If the block ^ize is , less tha,h 64 Hits, 
these bits must be "padded" (with any fixed or variable, 
pattern) to ma)ce 64 bits if -'the algorithm is to be used in . 
its normal block-encryption .manner . All 64* of the resulting 
cipher bits must be transmitted to the recipient everi .€hou9*i 
only 20 bits of underlying info;:mation are present. ,The 
recipient blocJc-decrypts these^64 bits, resulting in 64 
plain-text bits. All but 20 of these must be discar*^/. 
leaving the 20 original information bits. * * * * 

The use of DES for a block size of less than 64 bits/ 
is thus somewhat inefficient, in that the full 64 bits mij^st^ 
still be transmitted. Different techniques for utsing DESt 
are possible, which overcome this disadvantage, but jthey \ 
introduce other disadvantages. > ^ 

, * * • 

Multi'block^ . Wherp the block to be encrypted is long, 
it~c^ji~"bs^r'oken up into groups *of 64 bit blocks, and each 
such block encrypte<i independently. This simple approach - ' 
provides secrecy, but it does, not provide a high degree of 
data authentication. For example, assume two block-encrypted 
messages, one rea*3ing: "PAY TO J. ^ JONES $9,000.00" and the 
second: "PAY TO S. SMITH $1,000.00." If the *'$9 ,000 . 00" ^ 
and the "$1/000.00" should each fall precisely within a 
block, it would be possible to replace the cipher blocfe for 
"$1,000.00" with that for "$9, 0^30.00" so that when the recip^ 
ient decrypts the second message? it reads: "PAY TO S. SMITH 
$9,000.00." ^ ; 

This process/ by which ciphgr is manipulated, is called 
"spoofing." Note that the "spoofer", knows 6orre'sponding - . 
cipher and plain text, but does not know the secret .Tcey. * . ' 
His objective is ttf intercept, modify ap^ then retransmit 
the 'cipher, all in such a manner that his deception is not'* 
'detected. * 

- * Encryption techniques can be devised which prevent. , 
■/spoofing," but in order Xo do sd it'is necessary to intro- 
duce, something called "garble extension." This means that 
if .any,,portion of the cipher becomes garbled fi.e. changed) 
the -decryption hy the. recipient of certain amount of -sub- 
s&quefSt ci^feer'is also garbled* 



Figure 3 illustrates one method by vhictf garble exten- 
sion, and hence spoofing prevention, can be /incorporated 
into a block encryption system* The "E" boxes perforin block 
encryptiODj^ and the "D" boxes block decryption. The 'V 
function indicates exclusive-or . The approach of figure 3 
provides "infinite" garble extension. That: is, any changie 
to the cipher garbles the decryption of a il , s ubsequent cipher 
Infinite gamble extensipn has the features that the origina- 
tor can place in tfie final block a pattern expected by the 
recipient. If the recipient finds the expected pattern at 
th^ end of the message, he is assured that the encirie mes- 
sage, regardless of length , vas received, preci-eely as 
originated . 

5 . 2 Data^Stream Encryption 

The term "data-stream" refers to the serial flow (seri- 
al by bit by "character , oxi^any other increment) of data^as 
over a communications line^^ "Data^tream encryption" refers 
to the encryption of such data in re^l-time, for subsequent 
"data-stream fiecryptiow, " also in real-time. It- is possible 
to use block-4ncryption for data-stream encryption, but this 
is not desirable* In DES block encryptionr, the first bit 
cannot be encrypted until the 64th bit has been recfeived, so 
that a block-encryption technique in a data>stream environ-* 
ment inherently^ imposes a delay of ^64 bit times. Block de- 
cryption imposes an equal delay. Thus; communications 
delays would be unacceptably increased where biock t;echniques 
are to be used. ^ ■ 

TortunaCely, DES can be applied to a data-stream ^" 
environment so as to minimally impact communication^ x^lays. 
Two such techniques are "internal feedback" and "cipheisL 
feedback." ' ^ ^ . \ 

Cf 

^ t 

Internal Feedback . The, internal-feedback approach to 
data-stream encryptifOn uses DES to generate a stream of 
pseudo-random "encrypting bits." These bits are exclusive- 
ored with tjie plain-text- bits to form the cipher bits, 
illustrated in fis^i^^ 4. The\decryption process operates 
the same way, with the exact .^s^a'tne ps'eudo-r.andom stream of 
"encrypting bits" being generated* Sxclusive-oring these 
bifs with t^he cipher bits then produces the original plain ' 
text bits . . - 

1^ use DES in tViis manner,* any number of. the 64 output 
(i.e. cipher)'bits ma^ be used. For simplicit;y of explana- 
tion. It is "assumed that only 1 bit is used, and the other 
63 discarded.* The. selected Bit" is yfioOoniy used to encrypt 
the plain^text data, but is also fed back ^s the input to » 
D2S, and another algorithm cycle initiated . Thtfe^, one 
algorithm cycle is^jgeqUired per "encr^ting bit."" ' 

60 ^ * 



BLOCK INTERCONNEGTIONS 

TO PROVIDE 'INFINITE " GARBLt 
EXTENSf^ 



64 
BITS 



CHANGE 



CHANGE 



PLAIN TEXT 
-64 
J BITS 



64 
BITS 




P^TIi TEXT 

Figure 3. 



INTERNAL FEEDBACK 



To ensure that the decryption pi^ocess generates the 
same pseudo-random "encrypting bits" 'as does the encryption 
process, the DES input registers of the two devices must 
commence operation with the' same "initial fill." The pro- 
cess by which this is accomplished is called "crypto syn- , 
chronization. " 

Cipher feedback * This approach to data^stream encryp- 
tion is very similar to the internal feedback approach, the 
difference being- that cipher bits, rather than "encrypting 
bits," are used as the DES input. Hote that this approach, 
Figure 5, if used in a one bit feedback mode, is "self syn- 
chronizing" bedause after 64 bit times* the^DZS input xeg-j 
i^er of the decryption device will contain the same data as 
does the input register bf the encryption device. Note also 
that tlje approach provides garble extension, thus providing 
anti-spoof ing protection. 

. 6. System philosophies 

There are three basic approaches to incorporating en- 
cryption into a coimnunications system: link-^Dy-link", node- 
by-node ,^^and end-to-end encryption. 

Link-by-link encryption, figure 6, is the techniq^ue niost 
commonly used today* It may be implemented in a transparent 
manner'with c^urrently available^ devices, which are placed in 
series with the circuit .between data terminal equipment and 
data communi^cations equipment. This approach has the* disad- . 
vantage that it allow^ all traffic to pass through tHe CPU of 
any node in plain-te^xt. \ ' | z 

Wfede-by^node. encryption, figure 7, is a modified version 
of link-by-link e'fecryption to overcome this disadvantage. 
Each link uses a unique key, but the "translation" from one 
key* to the next ocqjurs vJithin a single "security module" 
which might serve as a peripheral device to the node's CPU 
In this way plain-text data does not traverse the node, but 
exists only, within this physically, secure module.. Note that 
enough ^nessage data must remain * encrypted so that*the ntfde's 
CPU can properly route th6 message, 

End-to-end encryption, figure B, requires a "Key Control 
Center^" located somewhere jtfithin the communication system. 
Each end-point in the system holds a unique "long-term" key^ 
and this -center alone holds a copy of, each such key. When - 



one end point wishes to communicate *o another, a request to 
this effect is sent to the Key control Center. This cenlfcjef 
then generajt^s a temporary "per conversation^ key, encrypts* 



this in the long-term 





67 



CIPHER FEEDBACK 



INPUTS SYNCHRONIZED 

, , ^ON CIPHER 

I INPUT h 

i ^ 



OES 
(ENCRYPT) 



OUTPUT 



PLAIN-TEXT 



DISCARD' 



CIPHER 



INPUT 
I 



P 



DES 
(ENCRYPT) 

I OUTPUT 

♦ discard 



^KEY], 



PUIN-TEXT 




Figure 5. 



LINK^BY^LINK ENCRYPTION 



KEY RECEIVER 



ORIGINATOR /KEY Ay . - /^^^ °\ ntutiwtn 



CIPHER 



NODE-BY-NODE 
ENCRYPTION . 



ORIGINATOR 






RECEIVER 




D 





CIPHER 
(KEY B) 

SECURIT.Y 
MODULE" 



KEY B 



KEY A \ KEY B 
PLAIN-TEXT 



Figure 7- 



63 



END-TO-END ENCRYPTION 
CONNECTION SET-UP 



CONNECTION 
REQUEST 




tKEY B| 

Hp I 




IKEY X| 





RECEIVER 



STORAGE FOR 
"LONG TERM 
KEY& 



KEY-CONTROL CENTE 



RANDOM-NUMBER" 
GENERATOR FOR 
TEMPORAiPPlfEYS 



Figure 8, 



ERIC 



70 



key of the recipient, and send% the appropriate Version ^to 
' each. The originator decrypts thi% jpst^eceived encrypted ^ 
temporary key using its long-term key, tiie recipient does 
likewise with its long-term key, and the two parties ^tjien 
converse with end-to-end encryption using tKis temporary key. 

7. Procurement Considerations 

* For retrofitting an existing system, link-by-lihk 
encryption utilizing transparent , link ^encryption devices is* 
a reasonable approach; .DES feedbacl^is* a desirable choice" 
for these devices. ♦ ' * 

For a "new system, in which cryptography can be "designed 
in" rather than "added on," block-encryption techniques 
should be considered because of their more efficient use of 
the algorithm, and tfeeir abseflce^of initial synchronization 
-^■requirements." For a transaction priented system', in which 
* ftiessages are very short and roiated to varying:-destinations, 
the node-by^ncwde approach appeaxs^ preferable ^because it does . 
not impose any per-conversation overhead' for;- key-^jflistributipn. 
However for a "session"'6riented environment ^U.- V{hicH crfnver- 
sations may be relatively loi&^r end-to-end en^^g^tion aK>^ars^ 
to be the obvious choice. ~^>W^1^-^^ 

' References: ' , 

1, ^Branstad, Dennis K. , 'lEncri^tTion %S^erVi<na in- * 
_ • ■ p Computer Datgt Cpmmunipatj-oris S^ysi^s," Ttoyrth 

liata Communications Sytap^^um, Quebec, *Sa"naSa, 
October -7-9, 1975. 4%-^ ' ^ ^ ^ " 

2. Kent, Ste^Shen T. ,\"Encf yption-B^s.^^a:^^ 
" " Protocols for Interactive. Ju^£^^^^ 

^* X' ' Communications;,"' Tecbnic^jj^3^!i^1s5^ 

tory for Computer *Scien^;r|i^§§&^gTQt^^n- 
stitute of Technology, May/:^55gi^G;-:^r ^ 



er|c 



3. Sykes, David' J.*, 'JProtecting \Da'€a'ijy^'Eh6^i^off,^' 
Datama^tion Magazine, August, 1976. *■ / 



A Bit^Slice, 4-Ch1p Implementation of the 
- Data Encryption Standard 



Kris Ra^llap^illi 
Fairchild Semi -Conductor 
Mountain View, California 

i The following paper has been extracted from 

^ the verbal presentation of Mfr; Rallapalli at'the" 

/V February ISth Conference, A wrijtten paper had not ^ 
been submitted at the time of publicatipn of these 
proceedings. 

T. Introduction . ■ 

I would like to ar^senl^'an approach-for implementing the DES in a 
bit-slice, multi-device, large scale integrated techjnology. This approach 
is based on our estimate of the user's need for a high-speed implementa- 
tion of the DES for^ secure d^ta communications. We feel that^ a high-, 
speed hardware implementation can be widely^used ,in, many ADP security^ 
applications. The existence of a standard ig this^area potentially, 
allows us to reach this goal. V- 

2. Bit-Slice Implementation . * 

' We. have attempted to design a set of chips- which'can be used in 
h^h-SRjeed, cost eff^'ttive applications in^ various environments having 
a wide ran^e of terpperafures. For thfs ^we have chosen to use the I^L v 
.(Isoplanar Integrated-Injection Logic) technology. 

It, was quite e'asy to draw a block -diagram of the DES. NBS did alj 
of the vi/ork for us. Afterj.analyzijfig the requirements of the DES in a 
si,ngle chip, we felt that'the cMfJ' would be far too large ami expensive. 
In large scale integrated technology, the smaller the chip, the hiigher ^ 
the yield, and hence the cheaf)er the c<>s*t. By analyzing the algorithm, 
we discovered that wel could partition it into , four parts. Each part 
could be implemented in one chipv^nd all four chips would be almcfst 
identical.. * ■ . , . 

^After analyzing both^the initial and final permutattons of the DES, 
it Iroame obviousr that it would be simple to partition the DES in this 
way. The 64 bits of data are entered in eight 8-bit bytes* For each 
byte of data, device 1 wOuld receive bits 1 and 2, device 2'would re-^ 
ceive bits 3 and 4, device 3 would receive bits 5 and 6, and finally ^ 
device 4 would receiv'e bits 7 and 8. Eight bytes would be presented 
to the four devices in this manner until all 64 bits have been entered. 

* . '67 • - ' 



FRir 



72 



. • ■ . < , ( 

In the block diagram of the UlSk the next major operation is to 
expand the right hand 32 bits to 48 bits. The joext major operation j,'s ^ 
the XOR functi9n of 48 bits of, the key with th6 expanded right hand half. 
Each af the four devices 11 contain two Siub^ti tuti^n (S) tables. De- 
vice \ will contain tables 1 and 2, device 2 will contain tables 3 and 
4, etc. 'The four devices must be connected J n suctj a way that they 
receive the necessary bi t$ from the neighboring devices at the proper ^ < 
time to make the algorithm work. As far as the key is conceriied, I am 
going to divide theAey into 4-t3it slices similar to the 2-bit slices 
used for thi data.' In order to do this efficiently in the four chip ap- 
proach, I must maintain duplicate copies of the key across the four de-r 
vices. In analyzing the-DES, especially ii^ the permutation of the key 
(PC-l and PcA2), it is obvious thit th4 C register must be in devices* K 
and^2 and the \) register must be in dev^ceS'3 and 4. The tr:ick will be 
to input the ke> in 4-bit slices and to keep two copies. To control the 
devices, I propose two control lines; . I am planning to use a micro- ^ 
'processor, to control the four devices via the two control Innes.' 

3. The 4-Chip DES ■ - " ■ - 

In summary, we are going to use four of these devices, where each' 
'device consists of two 8-bit ^hift registers for the data, fpur 8-bit 

shift if*egi^tejrs for the key and two 64 X 4 ROM's for; the S tables. 

Each device will have a parity check facility .for the key and other 

neqihire^llcor^trol logic. The four devices wil*l .work in paralleT 
Vrom a^ single clock. Our estimate of the speed is that it could be 
'clocked at 5 megahertz. The. two co^itrol^lines that L mentioned-would^ 
^ implement four control functions.. The first is load key,, the second 

is load data, the third instruction is to encrypt and the fourt|i is* 

to decrypt data. 

. ^ ^ \ 

The device wiVl check parity of the key as H is entered ami set 
a fla^ for the, microprocessor control if the parity is incorrectl It 
will not, htowever, prevent 'operating with a "bad** key. It takes eight 
clock pulses to load the* key and €ight mcjre clpck pulses to load the 
data. Then the devices require sixteen more clock piilses t^ either 
encrypt or decrypt the data* and eight additional clock cycles to unload 
the devices. However, the next eight bytes can be loaded ^at the same 
time that the unloading is'taking place. Therefore, only twenty- four 
cytfles are used. for a complete joper^tioR of the DES unit. With a clock 
operating ^t 5 megahertz, this gfVes an effective throughput of 13 
.million bits per second, or in other words, each 64-bit block requires 
5 micro-seconds to encrypt or decrypt. * 



Our company is planning to build these LSI devices and mew^ket them 
in various forms to our customers. t 



ERIC 



Federal Reserve Conniunlcations Security Project 




Howard Crumb 
Federal Reserve ^Bajik 
1 33 l^erty Street 
New YorT, Y. 10045 ^ < ' 

■ ■ ' ■ ■ .■ 

The following paper has been extracted from 
the verbal, presentation of Mr, .Crumb at the J 
February 15th €oriferenc^. A written paper had 
not been submitted at the time of publication ^f \ 
these proceedings. . \^ 



1 * Introduction ^ ' ' , . 

, I } 

This ^afterjioon I plan to discuss the Federal Reserve Qommunicfations ^ 
System^ some of our concerns for security, and the type or operations - 
that^the oommunicattons, system supports, Tjie Federal Reserve' System^ , ^ 
was created by an act of Congress i n 1913, Its Job was to^jnsure an 
orderly economic growth^ supervise and regulate bariks^ act as a fis-' 
cal agent for the United States Treasury, and provide for ain improved 
collection system. The Uhit,ed States* is divided into twelve Federal . 
i^esferve regions and there is a Fjederal Reserve bank in each of th6 ' 
regions;. Each bank is an independent corporation. The overall guidance.^- 
for the Federal Reserve system'comes* from its Board fff Governors located 
in Washington, D, C However, each of the t)anks* is responsible for its 
own Operation, - ■ ' , * 

* * , / * s ' 

3*' FEDWIRE Communications System -'"'^ - - 

\ ' r ^ * ' . " 

With thi§ introduction, I would lik^^'to talk about the corranu'nica- 
tions system between these banks frequently referred to as the FEDWIRE, 
This system is used to transfer balances between Federal Reserve member 
banks througjiout the country. There w a manual system l^fore FEDWIRE 
was installed consisting of couriers wmch transferred rnoney among the 
member banks, and as a result was vulnerable to those hazaVds and . . 

threats affecting physical transportation. The FEDWIRE'was devaloped 
*p el iminat6* charges for transfenof funt^s irSposed by the courier sys- 
tem and to make the transfer of funds much faster. 

The SEQWIRE consists of* a central communications site at 
"Culpeper^ Virginia and. communication lines to each of the Federal 
Reserve Banks, Similarly, each Federal Reserve Bank is linked to its 
member banks within its own region or distrkt. FEDWIRE became operar 
tional in late 1970* At that time^'each Federal Reserve bank^was , 



^ ■ - . . ■ '70, 



ERIC 



cpnn/cted ,to'Culpeper by teletype circuits^ Subsequently, magnetic 
tapql transfer capabilities were added to tiie twelve main coimiunication 



The sj^stem was next upgraded by replacing the teletype circuits-, 
with computer communications switches. Each district was allowed to.de- 
sign, select and implement its own computer system but was required to 
me^t standard interface criteria* Some of these standards in turn have, 
been adopted for use within each district foi^-iflterconnection to member 
banks. * - " . " 

Currently, the FEDWIRE system averages over 50,000 transfers per 
■day, carrying well in ekcess of gne' hundred billion dollars. .This is 
equivalent to transferring the Gross National Product every 15*18 days' ^ 
or transferring the National Budget every five days. , ' 

The federal Reserve System has been fulfilling its role as fisciil^ ■ 
agent by transferring Government securities for some time. The opera- 
tion has evolved as a natural extension of FEDWIRE services to transfer 
the securities on a timely basis. This system^has helped to eliminate 
much manua> handling of Federal paper securities and in making this 
system much more efficialt.* Presently, about 83% *of tf\e National Debt 
is contained in this "Boo^k" Entry" form. 

\ As a part.of its'fiscal responsibility, VeDWIRE is being used to 
^nsfer payrolls to approxifttately 250^000*Air For;ce personnel-, These 
paychecks are beirii forwarded directly to many financial 'institutions 
across the country/in a paperless form. This Air Force payroll is 
only a forerunnejf^^/ a much larger operation. Concurrently, .over 
five million Social Security payments are being transferred tp ^cial** 
Security recipients in a paperless form across the country. OJther 
Government payrolls areplanned to be converted to'a paperless form 
in 1977. » . k^-fi^: 



In Qrder to assure that network facilities will be able to handle 
these increased delnands, we are [ilanning to extend the system to handle ' 
this expanded load-on ci sp^^ified priority bas.is. In addition to ex- 
panding this system due to the increased load, we are planning to im- ' 4e4, 
prove the security of the FEDWIRE. TJje FEDWIR^ system must be protected 
for both availability and se<;urity reasons. The system must b& avail- \ 
able to make all the necessary dally i^ansactions and these transactions ' \ ^ 
must be protected against several [threats and vulnerabilities. These \ / 
vulnerabilities include^^dbotage, praud and mischief. At present, sig^ 
nificant controls exist to minimize these vulnefrabiTitie?. The security - 
of ^the cSipa'bi lity- consists of physjcaTsecuri'ty, operational security, 
personnel selection, and ne]tw(3rk ccmcern?, as well as the management as- 
pects such as legal agreements anrf audit procedures! 

We recognize that it, is impossible to prevent al> possible security * 
problems. However, the system is designed 46 bring any dJiceptioh to * ^ ^ 
light as soon as possibule. after it occurs; We, continuously monitor 
the oper'ations to detect any fraud ;.accidefit or misuse. Our security*' 



to 

'I- o 

to -M 

Jlo ro 



O 'IT 



> 3 
'i- to 



o 



I 



:3 

to 
c 
o 



t-> 




to 

to >^ 
O 'I- 



'P- to 



-M to 

EO 

O 



-c I 

'I- c 
O > 'I- 

o 

1^ 1^ 

to Q. O 
O 



13 <U 'I- 'i- ^ . <— O 



o 



a> o 
> 1- 

CL 
to 'I- 



to 

cr c 













c 




<D 


to 3 « 








o u 


i 




o 


(J CD 






1- 


to 




t-> 






<_> 


CD 








to 




c c 








O '0 


> 




c 






J= 


CD 


-o >^ 


CD 






CD 4-> 


to 






to 'r* 






-M 


*a i — 




1- 








CD 






to 


-c 


to 'O 




to 


C 




1- 


'O 






<D 


t 






-o 


o 






CD ^ 


1— 


> 
















J= 


O TJ> 










* 




CD 


CL-C 









<D 
C^' — 
C <D 

to 'O 
CL to 

^ ^' 

CD 1^ 
■M 'I- 

-p- cr 

4-> CD 



t-> — 

c ^ c 

1- to 'I- 

0- X) -M 
O ^ 

OJ ^ u 

_C -M 'i- 

1— <D 

• <D Q 

tn to £ 

25 g" 



to 
<U 

v> tj 
o to ' 

CL 

to 5 
<D OJ 4-> 
13 J= ^- 

cri— o 
to 



J= OJ X) I 

-M 1^ c: <D 
'O to 

■M ^ -M 3 

^ <D e 

O -»-> CLJZ 
■4- to OJ +J 

<D o 

5 • -r* ^ 

tn *d 
<— 1- o 



C O 1- 



>^ CD C 
1- <D«<D 
'O to 



• O <D 
C tJ > 
O <D 
i- CD -O 
to J= 
to -M C 



CL 

CD ^ 

1- O 

CD C 

^ CD 



C O 1^ 

« -M CL 

to 1^ 

C O 



tO 'I— ' 
4-> CD 

»— *. to 



o = 

CD 



E -M 
t>) 3 4-> 

J=* o 

0> CL 

o :3 
a> 1- to 

= :5 ^ 

X) C >^ 1^ _ o 
CD O -M 3 X) 

3 'r* 'I O CD 

to 

to 3 -M 

CD ^ to 

C^'i- CD 

rO ^ ^ 

to -M cr 
to to CD 
OJ ^ 

E 

>^ O 
Q ^ 1^ 
CD «4- 
C X) 

'I- !s QJ 

^ to c 

CD rO 'O 
to ^ 1^ 



to + 
to ^ 3 
U 
CD 

to o to 
^ c a> 



O 3 <4- 



tO 1- -M 
CD O O 

~ CD 

cr ^ 

1^ to OJ 
CD 

to 3 -M 
to 

-C CD O 
I— 1- ,t-> 



o 

OJ E 

to o = 

O O CO 

<:> o CD 

CD X) Q 

e CD «4- 

J= c o 

O to 

<— 1^ to 

to ^ O 3 

CD 13 «4- 

J= CL CD 

U -M _£= 

rO to to 4-> 

O CD 

1^ ^ 3 -O 

CL cr 

CL E CD X) 

X) -r- S-.E 

CD 1^ 

> O O O 

CD I — ' O 

O TO -M 1^ 



o. to <— 

tj CQ OJ rO 

^ to l- 

^ C CD 

<— CD O 

CD -£:: Q. CD 

^ 4_> to to 



to 

CD 

I u 

4-> to 

U > rtj 1^ 

-r- CD if O • 

+j -O -M X) -M 

TO oj ~o E 

CL 1- CD > 
rO "O CD 

3 'O "O 

Q TO X) <— 

CD O O 

>^ C t-> JZ 

OJ to 

-<= _ O Q- ^ 

<M E t-l- ^ -f-^ 

-C o ^ 

44- -M Ju: 1^ 

CD a> OJ 
^ <— >^*J J= 
V> ^ -M -M 
'd 'I- >^ 

o 3 fd 
1- <i- tj ^ 
-*-> a> X) 

3 CLV^ TO - 
^ E 'O 

c (J a: CD 1- 

-I- C t— t ^ CD 

-O CD 3 
C O O 
O CO UJ -M 
CLOQ U- O 
t/} ^ XJ 
CD CD ^ -M 

J= I— OJ 
OJ -M to 1- 
to C <D 

O 0> #0*4- 

^ c; ^ -I- 
to O 'O -o 

3 3 O 
O 'r*-XJ 
CD TO 
^ O C 'I- -C 
TO U 
-M uj (D 
CD to ^ CL. O 
> CD t— t V> ~0 
CD 4-> 3 C 
to O I — 
rO UJ 'O > 

>, c o J= 

< i- CD-I- O 

■M J= -M rO 

C CD 4-> U OJ 
OJ 4-> h C 

3 ^ C 3 to 

cr CL Q TO 



to 

t-> 

OJ CD 
CL^ 
to -M 

c 

>^ o 

-I- 4J 
3 TO 

<D e 

to 'r* 

<U C 
J= 'I- 
<M OJ 



X) c 

CD TO 

to to 

OJ OJ 



'i- CD 



1 to 

to 't^ 

to I— 



OJ 
TO 

o 
to 



OJ 



:2 -£ c 

O -M 

UJ '^"r- cn 

LU 1^ 4-> TO 

O 3 C 

OJ rd 



CD CD 

u u 

'I- s* 

> o o 

CD U- 

OJ eo 

-C TO 



TO 1- 



O CO 



4-> OJ 

t-> J= 
OJ 4-> 

to 'r- 

OJ 

-M CD 

to 



-C I— 



OA O 4-> 3 

1- a. o 
O. E 1- 

v> to ^ 
OJ +J C 
CT> to O 

TO to 
J= 

U 



OJ 



to 

" OJ 

OJ to 

rO X) to 

1- '1- OJ 

OJ 13 t-> 

c a> o 

OJ 1- 
C^X) Q- 
OJ 

-p 

OJ 



X) 
CD 



O (J 

>^ c 

C E =3 

rO OJ E 



X) 

" O TO 
OJ 

(J 4J X) 
U CD 
> TO > 

Si -Si 



OJ 



to c 

OJ to E 
p ^ to 

3 to 
to UJ 
I— to I— < 

o) :2 
>^ o o 

-M -r- UJ 
i- > tJ_ 
1- OJ 
13 -O CO 
O C 
OJ OJ 'i- 

<^ JZ 
-M to 

OJ 

or X 
I— O OJ 



CD +J 

•5 £• 

cr u 

OJ c 

^ CD 

1- OJ 

o 

" -Ol 

CD CD 



_ (U*— >^ t^ OJ C X) 
-M Q. V> X) CD C 

13 to E to C I- TO 

D" >^'r* OJ 3 OJ TO 

OJ to _C O CLXJ 

1- 4V H- C Q- OJ 

to O O 'O TO ^ 

to c 1- c ' — 

CO ^ JZ 3 O ^ 

-M ' — 1- C OJ to" 

4-> rO 3 O >^X) OJ C 

'O O ,0 3 to 'I- > 'I- 
tJ'i-3'MTO>^ CD 
C OJ o -C >^ E 
>4-3tOC^l- f 

fCD C Q. +J 

tJ^OJ 'O C V> 
OJ Oj**^ OJ O TO OJ 

CLU >-M l/> t->-i- OJJZ 





* 0"tD C O > 'O OJ ' 

:T3 OJ 43^x'~ ^ 'I- C OJ -Q <4- 



tj '\to CD 
-O 'I- J= CD 

OJ > OJ . 'r-^A 4_> 1^ 

-O OJ -C J C -r-^ TO 

-C -M J= X-OV,^ _ 



OJ 



CD 
O 

i — 

E t-> 

o 



O Oj' *+? <rt-^+J E t-> 'J 

-Ol 'IT 1^ rO" 1- OJ ^ E^ 

^-h>TO COTOO^XJ-'dOi 



to 



CL^/ 



CL 

o 

o 

OJ 4^, 

o to 



to 

_ : CD 
E O -i^ 



*to 

OJ ^ E^ 

_ - _ 0< — XJ^'d O (IK. 
O-M-C Q,CD >*-itJ 
*i- 4i> OJ 3 1- ' 



t^ C -O TO to 

OJ ^ «4- OJ C V C 



CD 



_, OJ c 



_ CL 



O X) 

TO 



. X) ' — "O O 
4^ rO I- 'O ro " 

TOJ=0J.4->w OJ 
OJ to ^ JZ 3 TO to 4-^ 
JZ C CD t^ OJ J^) 

I— rO 1- X 'i-J 1- ro 
1- C OJ ' ^ <— 
4-> O *»- ' — to 'i- 

to -M CL- — 4-> 4-> TO 
#0J ^ to 3 O O 3 > 
XjvrO'i-'O t^ C Q. rO 



'XJ i 

I OJ I 

g 4-> to «4- 4-> 

O -M OJ <0 OJ 

t-> 'I- I— C 

OJ O Q. OJ 

>^ OJ *J 
X) OJ -M t-> 
( — 1^ OJ 

1- TO 

>^ 3 -C • 

-C O C -M uo 
to OJ O -1^ 
to to Q. OJ C 

OJ ^ $~ OJ 

u OJ c :3 E 

''r* O to OJ 

> OJ 'I- • to 1- 

OJ w TO 'I- 
-o 'to 3 

OJ 'd E <— OJ 
JZ (J to 1- 

-M ro 'I- C X) 

■M 1- E OJ 

rd 

JZ -M C to 'O 

fd 1- -I- OJ -M 

^ JZ O ■ -M to 

>^ 4-> «4- C 

^ -r- CD OJ * 

o ^ 01 > JZ ' 

W to <1> hjOJ 'I- -M ■ 
^07 CD ^ to , 

OJ o. OJ X E ' 

> 3 N to <D 
*0J CD O) 

OJ c oroj -Q t-> 

N 3 U 

'1- tJ 'r- 1— > 

C O CD > ' — CD 
1- OJ 'c- X) 

q^-M ^ >^ 

a) OJ 3 CD CD -M 

V J- 'i- O CL 1- 'I- ' 

'ol- t>> OJ S-* 

-to TO OJ ^ JZ 3 

^5-^ OJ 

^TO^ O *vW 
~o _/ Vl V. to 

a> *cr ^CL OJ OJ 
5 -3 to tJk-c 

C 'f-* 1- OJ 

- 3 OJ _cr > - 

0> -C OJ -XJ * 

' JZ oja-m -o c 

I— O ro 

_Q o OJ 
C to 

OJ CT> CD I- / 

'O JZ C -C o 



'CO 



Evaluation criteria for the test :and managing the encryption 'keys 
are currently being developed for the operational tests, , , 

No specific actiort ^ollowiri^ the tests has b^en specified but it is 
hoped that commercially available devices will be .off ered to the Federal 
Reserve System and anyone else based on the results of this prototype 
system. We feel that encryption will ^Iso be needed in the future, Sis^ 
one technique to meet requir^fnerits for privacy -of information. 



ERIC 



73 



77 



ARPA NETWORK SECURITY PROJECT 



Stephen T. Walker - 
Defense Advanced Research Projects Agency 
liOO Wilson Blvd. , 
Arlington; VA 22209 ^ 1 



The ARPA computer nettjouk has become an 
operational Defense Department* packet switched com- 
munications sysi^m^ A recent ARPA research p^roject 
has developed techniques for' achieving^end-to-end 
encryption processes in a sophisticated networking 
environment such as the ARPA network* The National 
Bureau of Standards' <NBS) Data Encryption Standard 
(DES) Algorithm has been employed as the basic en- 
cryption mechanism for the initial demohstration of 
this capability. This paper gives the background 
and current status of that research project. 



A research project in computer networks initiated iik 1968, by the ^ 
Defense, Advanced Research Projects Agency, ^pioneered the\e^lo^ment and 
demonstration of packet Switched communications systems. Todaythe - 
ARPANET?^ is one oE the largest. and m6st sophisticated operational com- * \ 
puter pontrolled communications systems in the world. The n^work ^^"^ 
*picted'in figure 1 extends flrom Hawaii co Norway with approximately 60 
no'^s and 120 host computers connected by 50 kilobit dedicated communi- 
cation ciAiO^ts, The ARPA network ds now an operational Deffinse Depart- 
ment facility under the management of the Defense Communications Agency 
(DCA)*. While growth in ^terms of number of nodes on the network, has 
leveled ^ff in irecent years, traffic 9n the network has continued to 
double yearly. In late 1976 average daily traffic handled on the net- ^ 
work exceeded ten million packets aer day* ^ 

The technology employed in thrf ARPA ^ network has provided the foun- 
dation for DCA's common user da^ta Tietwork, Autodin II, This system will 
be ^e major data communication netwoi?k .for the Defense Department in 
the i980's and 90*s.. The ARPA network has also served ^s the basis foi; 
a number of^ coiranercial and private- networks and many foreign syst^s. 

The ARPA network h^as evolved from a basic research project to a 
fundamental component in the deyelopment of. a wide variety of advanced 
computer science techniques. It has for the most part been associated 
With uncla^eifie#research organizations throughout the U. S.^ a^d with 
the ^exception of a recent limit^ capability to transmit classified in- 
formation, it -remains primarily a Tion--secure gaci^Lity. However/^a major 
concern from the inception of the ARPANET has been the need within the 
Defense D^artm^nt for .efficient secure data* communications mechanisms- 
Developing techniques. for securing packet* switched networks is the prin* 

clpdfL research objective of ARPA' s .network security program. 

74 ' 



ERIC 



78 



itatlon of secure computer systems there are basically 
)lexlty tc^ be considered: physl<ial/adminlstratlve, 
communications and operating system (or software) security measures. 
Computers have beeft processing classified In^formatlon for many ye^rs* In 
what Is called '*sj;^tem high mode** where the computer "is physically lso~ 
lated Ifi a protected area ^nd all personnel associated with the computer 
are cleared to the highest level of classified data processed by the ^ 
system. The first level- of complexity consists of the welt known physi- 
cal and personnel 'security measures. Involving locks> alarms and clear- 
ances< l^en two or more secure computer systems are linked over conmiu- 
nlcatlon lines, the second level of complexityj communications security, ' 
Is employed. The universally accepted approach Jio communica^tlons secur- 
ity Is the use of encryption on data while It Is being transmitted over 
unsecured communication lines, Conmiunicatlons security techniques- have 
been employed for many years^^ln link encryption mode where each end of 
the communication line Is attached to *an encryption device. Both ad- 
mlnlstatlve and communication security ;neasures are' used to protect ' 
computer systems from unauthorised* external acces^, 

■ ■ ^ • ■ ■ 

The third lev^ of complexity Influencing- the use of computers ^ 
handling ^l^sslf led material Is the operating system or software securl-' ^ 
ty problem. In this case the Integrity of the software running In the 
computer must be relied upon to provide protection among autThorlsed ' 
users of a computer system, A special case of bpera*£lng system security 
Is control of encryption devices operating In a sophisticated net- 
working environment- The computer controlled nature of advanced commu" 
nlcatlons systems requires solutions to the security problem In addition 
to the already existing communications security Isslie, 

The ARPA System and Network Security Program-Is addresslng'the 
third complexity factpr described above. Considerable progress Is being 
made In the operating system security area with the application of sev- 
eral certified secure ADP systems in the Defense Department anticipated 
within the nexc one to three years, A particular concern of the govern- 
ment, being addressed by this ARPA research program. Is the eraploWent 
of computer controlled encryption techniques to provide communications 
security within sophisticated computer networking Environments. 

In iind-1975 ARPA> in conjunction with other 'government agencies^ 
began an effort to provide an effective demonstration of end'-io-end 
encryption with remote kay distribution. The basic concepts of this 
approach were flpst published, In a paper by Dr< Dennis Branstad in 1973 
(l) , ' The system Is designed to Kork in multiple networking environments 
^allowing the encrypted data to pass unaltered among several liSterco^nect- 
ed networksjy The system uses the newly developed transmission control 
protocol by Cerf and Kahn (2) to provide a highly reliable communica- 
tions path* _^It makes he^vy use of thev^^y^^^^^S effects of network 
protocols. Insuring an essentially error free environment regar<lless of 
the communication path being employed* / 



ERJC ^ ■ ■ ' " ^ :/ 



n o 



T 

r 



D 






rr 




< 




0) 


/ 




% 




M 


D 








rr 








O 


rr ^ 




D 












H 








H 




CO 












3 




0) 








rt 




pa 


p 




fit 


ft 








rr 






c 


K* 








O 


O 










rr 


m 




D 




o 






> 










8? 




D 








r> 










rr 






r 


00 


c 










rr 


C 


O 


K* 


O 




»-h 




rr 




0) 


O 




O 


rr 






O 


K* 








O 




H* "a 


D 






C 








rr 










< 


13 




H 


o 










n 




2! 




TT 






O 


n> 




rr 




rr 












o 


1 


2! 








(D 


h- 






rr 




(0 






1 






o 


M 






n 


00 


> 




7f 








M 


h- 






rr jftj 


13 






0^ 








T3 




D 
















i 








C 








D 








K* 








<n 
(n 

rr 

O 



i 

(/) « i-h 



o 

rr 



rr 
:r 

D ^ 
> rr 

pd rr 1^ 

:r 

(W rr 
3 CL 



D rr 

H> fl) rr D 

(D 0) ► , n 

< rr "a 05 

0) rr 
n O > rj 

fl> D rr rr (w 



D- H- K* 





O 


o 




0) 


Ml 


Ml 




h-" 






D 




h- 


0> 












§ 






O 






oT 




rr 




fl) 




:r 




r> 


3 


H- 


O 


c 


C 


(A 




re 


It 


fl) 


■a 






D 






■a 










1 


■a 


c 


(D 


rr 


o 


cr 




O 




D 


CO 


I 

fl) 


es 


et 




D 








CL 


of 


ork 





D 

m rr 

rr 

0) D- 

PT D- 

rr 

O 



o 
c 

CL O 



rr 0» 

w O n ^ 
25 C D O 

/(W rr r> C 
to fl) (D OO O 
3D- ^ H* 
fl).- rr D 
:r fi** rr 
3 rr fl) rr 

(W rr 
:r 



(D 0) 

c 

0) (ti 

c 

rr TT 
O ^ 



V CL, 



o 

K* o cn 

0> »-h rr 



CL 



rr H- 

:r cr 
rr 

(D O 



rr O 
O D 

< 

cn *H 

rr (W 
cr rr 
K* O 



cr 


(0 


rr 


h- ' 


rr 


rr 


o 


fO 


3^ 


K* 


H- 




rr* 




"O 


fl) 


VT 


O 


(D 






03 




<\> 


D 




rr 


rj 










mJ ' 




Oi> 


0) 


rr 




0) 






^ 


fO 


w 


Oi 


fO 








rj 




0) 


rj 


Q 


8 
















H" 




tJ 


to 






H" 




-to 










to 




r> 




?T 






i— * 


to 


3^ 




H* 


w 




O 


c 






D 




rr 




rr 


o 




Op 










D 


s 








<4 












D 


H" 


^ 


rr 




& 


D 










I—' 


rr 






N 














(T* 










HH 






, 
























to 


rr 












*^ 


O 








M 






O 








I—' 


i-n 


to 


rj 






rr 




to 












W 




O 


* ^ 




to 








/ti 
fu 




C 






rr 














3^ 


H' 


0) 


H 






D 


fl) 


rr 








(0 




D 


*^ 


rr 










.rr 












c 


H" 


rr 








ft 




O 






fD 






01 








n 


CL 


< 


rr 


H- 


Ml 








0> 


H- 


D 


to 


CL 






n 


O 




o 


H- 












H* 


(A 




O 


to 






h- 


rr 


(A 


D 




n 




K* 






r> 





< (0 (0 

to r> rr 

*E 

to to^rr 

CT* rt H- 

H- O 

r> O 

to rr »-h 

D- fl) rr 

K* C (D 

D to 

rr i-h 

one 

D 

rr to r> 

^ r> rr 

fl) rr H- 

H** O 

to < p 

O to (W 
pO rr 

_^<l> O 

O 

X rr 



3 S-^^ 



rr C rj 

n n O 

to n h- 

rr fl) h- 

w . . ^ 

rr ^ 

:r rr 

<i> a' ^ 

to D cr 

oo to 

(0 



rr C 



(0 

rr O r> 

to rt 

B (b ^ 

K rr 

^ O H' 

H- D O 

^0) 



rr K« rr to 



TT to 



rr ^ 
01 



rt r» rr 

to ^ 

H- to 

(0 0) D 
C 

r> rj( H- 

r> to D 

to to K* 

in CL rt 

to 



c to, 

rr^ 

O to 
D (A 



C rr 
^- O 

to 

rr r> 
to to 

D -a 

rr 



to P 
D to 
rr rt 

n O 
D 

:r :r 
to to 
rr r> 
to ?r ^ 

(0 O 

c 

to rr J-i 



(0 

H rr 
:r to 
to g 

^ >to 
H- to 

rt 

Hi H- 

cr D 

C itf) 
rr to 

O rr 
D (0 



to H- 

to 

D -a 

r> n 
to 

to 

rt 
O M 
D ^ 

^ to 
rr D 

goo 

I 



^ C 

O D 

13 r> 

f rr 

H- O 

S 

0 - 

g to 

r> to 

1 ^ 

■a to 



r> to 
to 

h- cr 

H- to 

fD w 

50 01 

CT* CL 

to n 

(0 to 



to 

O to 

(W rt 
rr (W 



rr^^p. orr *■ 3(tq&i->*rr 
K*DtoD(W "ariH-D^ 
pH- h- jHl-'*OTK*to 



(0 

cr 
c 



to 



r> :r D o 

ton- ^ 

D w to to 

rr G£ 

to C rr ' 

H- H- ; 

v> C r> 

rtJ to * 

p h-th. 

O sw* v*to 

rr to v*^ 3 

H> ^ O 

"-^i P 

■ ^ 



3 cr 
to o> 



00 

*to 

o 

,w> to' 
s 

to 

3 

K* to 

O to 

I 

rr ^ 
to 

(A 



3 a 



h- rr r 
C to 

I n 



o 



o 



r> 

to v> 
rr 

to to 

Cl h-" 

00 

a. o 

i p. 

O rr 
rr 

rt rn 

11> O 

O rr 
P :r 
to 

P CL 

to 3 
3 to 

rr 



cr 



(0 



•3' 



r^ to 



rr 

:r 
to 



01 

CL 

to 
3 
O 
P 

(0 



to 

D 

r> 
■a 



o 

to p 
3 

O W) 

c ^ 

rr rr 

^ iE 

O 3 



rt 
O 

O 
(0 

to K* (W 
CL O 

P CA 
« rr 
tn to 

00 

to o 

O rr 



to 
3 



rr 

:r 
3 



rr p K* 



01 

CL 

to 



to s 
to 



rr ^ 



rr rj 
rr ^ to 

cr 

^ rr M 

to :r to 

(W (0 _ 

rr 

CL to o 
to p 
r> p 

H- O 

IX c 



rt 



(0 

o 
■a 
:r 

I 



O fl) rr 

- D 3* 

to rr 
3 to 

■a t& 

H- to 

O rt' 



EleQtronic Fynds Transfep Application 

Jaek lilcDonnell 
, - EFT Commis.sion 
1000 Connecticut Avenue 
Washington, D.C. 20036 



The following paper h^s-beeri extracted from 
the*ver*ba1 presentation of Mr. McDonnell at the 
February 15th Conferen<;e. A written paper had 
not been submitte(t' a,t the timg-of publication of 
these p^roceedings.- ' ^ 



\ 



A * IntroduoJ>^^iji^ , 

^ I would'like Xo prefacevmy comments on security by introducing you 
to th§ National Commission on Electronic Funds Tr^ansffir. The EFT Com- 
mission was created by an-^t of Congress twg years ago because Congress' 
anticipated that there would be a lot of problems in the **checkless** ^ 
society that do not exist in the present banking, ei>vi ronment^ Congress 
created this Commission to study these problgns arid report back with 
recommendations on what to do.- Our fir§t rfiporj; is due to Congress pn 
FebVuary 23, 1977. This wilf be an interim report and makes ^only non- 
technical recommendations. The final report wilT includfr.our technical 
recotwneridati ons . - ' ' v 

EFT is not new. The Fejderal Reserve -has been using this mode of 
balancing the nation's ''checkbook** for some tinie^ ^ - ' 

There are three main areas of EFT. The firsy I will call a low- 
volume. High-dollar transaction system typified^ the FEDWIRE system. 
The second is the system tyt)ically called the automated clearing house, 
which primarily uses magnetic tape to transfer money. vTh& third is the 
one I would like to discuss-fo'day; it is the one which has a high 
*is1b11ity to the .consume^ . The last incorporates, automatic; cash , 
ssuing terminals, point of sale terminals and automatic^teller ma- - , 
chines. ' ' ' , 



I, wouldjike to give credit for jnost of the material t^iat I am 
going to present, to Mr. Paul Hav^^r of the Federal Deposit Insurance 
Corporation who has written a booklet entitled yJIi\troduction to EFT 
Security.*' Rigure 1-1 of this document displays the various points 
0f vulnerability >.tn anipEFT system. In particular, the automatic "teller 
'machine Is the direct interface fyf an EFT system to^ customer. The 
customer must prfesent.a "digjtaT slgnat^tre" to thjs^machine to prove 
the custoni6r*s identfty. This^digital signatitr& is called a Personal 



Identification Number (PIN), Typically, a customer is issued a plastic 
card with a magnetic stripe on the back/pn conjunctJon with the PIN, ^ 
This magnetic stripe contains information in a 1 ,* 2 and 3-trdck format. 
The combination of the card and th^PIN causes the system to operate. 

The effective use of encryption^in the EFT environment requires 
several things. First, the banking community and its customers must 
be educated to the threats of an* "EFT system and the use of encryption* 
^\\\ reducing these threats in order to esta&lish a viable National EFT . 
system. Second, *the encryption of the PIN or other information on the 
plastic card requires several standards in order to be virfblef . Third, . 
fhese standards must be available on a non-proprietary basis to be used 
at will throughout the system. . . ' ^ * 

2, Threats to an EFT System ^ . ' 

A'cash issuing terminal usually has between twenty and forty 
thousand dollars at the beginning of a day, The'largest *'rip-off*' 
that has beenid^ntif ied in an EFT environment cMd not occur in this 
country but in Switzerlcind, A customer with a valid card^^nd a. valid 
PIN used his knowledge of the off-line system to p^i^etrate his crime* . 
He simply started Visiting each of the cash issuing ^fermina^ls in a large 
, European City starting at 5 a,m, ion a weekend to "jackpbt*' each of thi 
terJhinals, To the best of our knowledge, he acquired the equivalent of 
'$100,000, ' ^ 

would like to look at tfie vulnerabilities of an EFT system an^ 
^ see where encryption can alleviate' some of the potential risks, * One ^ 
'^application is to encrypt the dat^on the magnetic stripe of the card. 
If the PItJ is used as part of the key for^^e encfyf)tion operation, 
anyone who fjpds or steals the' card; but^'dbes not (<now tbe RIN, can- 
not use the card, " ^ ' ^ - 

■ ^ The simplest tlireat to the coimmi cations of an EFT system is 
passive wire tapping. In this threatXa penetrator simpl:^-*records the 

, information going across the communication lipe and dupl7<;ates ttje 
magnej;jc. card frnwAiP infnrmatinn contained in a^ transaction req^st , 
to comrtJit fraud, H^fTe Pitt or other input data of this communication'. 
Were encrypted, the penetr'ator would*be thwarted*in this attempt, 

. ' . t ' 

\ "The second threat is called attive wire tapping. A-pehetrator is 
noj; only able to monito^' the- communication^ T^etween a casb issiVing 
'terminal* ajutL^ bank, but i'S, also Ab^le to modify the coipmunication?. 

We can 'look .at 'encryption as being a security 'ifieasu^^e for cdrnmupica- 
ti^ns- UR}ike/a situple communication system in v/hich all of the data 
and Central^n^nformatlon is encrypted, a viable EFT network requires that 
only. the va^luable data be encrypted and the address/qontroT information 
remain in t^ie clear, This latter information is required ir^the^ switch 
. be^tween communicating devices^ ^We feel tliat the Cryptographic Check 



ERIC 




Digits (JCCO)* hold great pronise in 'securing an EFT network.* 

.The final thre&t" exists withinthe computer of each financial 
institution, I cannot emphasize too' strongly that this 15 the most 
vulnerable point in any system. We feel that there ii'a definite ap- 
plication for encryption on^ th§. account fi les within the completer it- 
self. \ ' . i 

" We hope to develop a set of security guidelines for the financial 
commanity through an inter-eigency task group" that we have established. 
It is too early to tell exactly how extensive these guidelines wi'll be. 
Our first step ^s to irwentory the cases of fraud that Rave occurred ^n 
EFT systems. Before the CbrmrisMonMs "temjinated in October, ve. hope 
that we can ha^e a set of g'utdelines for financial institutions to en- " 
force. In all probability, we will make the recommendation that this 
nnter-agency .task group, conti nue in some form, perhaps in conj^ftption 
with.NBS, to develop the techriUal security standards needed for aft 
EFT systerrt.. * . ' ■ 



9] 



■y( 



J 



*Editor*s'Note: See the paper by Carl Campbell in these proceedings. 



ERIC 



8.2 

■ ■ 

» 88- 



Ifnplementation & Use 
- "of ' 

The Data.Encryption Standard 
" witbin , 
file Qata-JConmunications Etivironment 



* 



- ■/' ^ MrT Ed. Lojise - 
^ * Cor'pprate Engineering Headquarters , , 
, ' " ' BOrrouglis Corporation 

_ ' 's . ■ . World 'Headquarters Building 

V . ^ Room 5E30 . * 

. * / BiVroughs Place ^ 
Detroit, tSicliigan 48232 

With tli6 standardization of the DeI^ product 
and system 'designers can proceed to -fmplemefvt various 
security devices. vAppl ications for linkand €nd-to-^ 
y end preelection carr and will be accommodated,^ How- 

^ / , ever, if these applications are.l ike}y to involve 
. ^ - coimAinication wimin a system containing eqoipment 
.from different manufacturers, additional standards * 
are needed: key management, electricaT intierface, 
- . ' ' encryptidn mode, initialization ancf resynchronl^a-* 
* tion. This standards development effo>*t alVeady 

started. . . , 



Key words': Encryption; security devices;, standards. 



With the advent of Electronic Funds Traif^fer systems, arid data 
.banks fiTledWith statistics on- individual citizens and business^^s there 
is a*growing 1nter-depen4<5nce between Computer systafis and cortiiiurfica- 
tipns systems. . The transfer of this information to or irom remo-te . 
system ,us%rs v^nile maintaining^ the integrity of the data is in itseV" 
a complex pr(^blem. "The'passage of the Privacy Act of;1974 further 
compounded ^e problem by requiring that this information t^ansfjer 

itTOrized 



cannot be' accessed by unauthorized personnel, ^ Beyond the need for 
privacy there is need to pratect against alteration of the message. , . 

Thts\becomj^s <ioubly impS^^|int when data is, transmitteVVia coumon 
^carriers such as microwage transmission systems, communication 'satTel-- 
Tites or telephone liney . " . . ^ ' ' 

' ■ A . ^ ' \- 4/ ■ . ' * 

It is encumbent upon the management of .these juser systems to ^ 
guarantee- the privacy 'af^this informa^tibn ajid guard ^gainst its fraud- 
ulent use or alteration* ^^--^^ * ■ * * 

- .84 ■ ' ■ ' . 



' ■ The Data Encryption Standard (pES) has gone a long way in providing" 
a tool with univerlal applicability for those who wish to ensure data <£t 
protection, * ^ ^ - - • 

The type of seturity required in some environments may be such that 
the message can, be transmitted in clear text as long as its integrity js 
safeguarded. Other environments may require the contents of the messa'g^^ 
, be concealed during transmission from unauthorized observation. In the ^ 
^former case authentication \^ill suffice, that is, the message text is '\ 
^ operated upon by the DES to produce a series of check digits which are" j 
^aj>penaed 'to. the/ message arid this entire format transmitted. If, at itsy 
desi*ttnation, the message integrity has-been preserved 'thS' same set of ^ 
check digitS'WilV be generated imd a simple comparison will serve to 
validate the mes^age^ In the latter ca6e,.,the text of the message will 
__be transformed, using the DES, into cypher which is transmitted. This 
process is known as encryption, 

- ■ , * V ■ .■ ' . 

These leyels of seturity may be imfjlemented in, either of two data ^ 
^tfrnnunicattons modes: li^nk-^r end-to.-end, - ' ^ 

Tigure I illustrates the levels of protection provided for each 
technique used. * ^ , . . * \ 

) " Figure IJa and lib shoyf how these techniques are implemented in 
some data conimunication networks. \ ^ . ^ %^ 



In the link mode the devip^^'iS^^ansparejfit to tihe data on the line', 
encrypting and decryptiog wtthout^difying any of the datd In the 
% process and withdut a/fecttng the source or jJestination processors. \ 

, * ^ * ' ' J" 

Data on the 1 tne" between' tf^g deyites is protected for bath message^ 
integrity an^*secrety (priva'cy) since it^is uni,ntellj^ible to unauthor- 
ized listenet^s^and cannot Be altered without detection, ' ; 
I ^ , \ ' . ■ ^ ' v" 
In some communication networks with multj^le^nodes, *1 ink ,encr^fc 
does not protect the data-withiri^tKe ftSd^ Vhere the irfessage^ is, in pl/^^ 
^ext ,an4 subjecfto tan)pering or misroutfng, .By -ejicrypttiing at the 
s^source only and not decrypting until the coDUflUnication reaches- its 
-ultimate destinatipn the information content oY the" message is only 
usable by recipient?- who possess the appri^Priate (iey. ^This tecfinique 
iS'Jcrjown as end-to-end encryption, ^ind reqSH res j that the message header, 
which contains routing, priority an<i*othe'r information used by the net- 
work itself be kept in clear text".- In this cas%, the,,data security 
device must be ^^nsi^rve, to the data cortwnunipation procedyres used in 
the network or be capable of detecting START INCRYPTION/STOP CNCRYPTION^ 
instr^crtibns in the^ text. * ^ • v V ■ 




r- 



DATA COK^UNICATiON SECURITY 



t 



TECHNIQUE 



PROTECTION 
PitOVIDlD 





> > • 

, • ' * , 




Liniv 


pun TH Pun 




ENCRYPTIQN 


AUTHENTICATION 


■ SELECTIVE ENCRYPTION/ AUTHENTICATION 


' ' - * ■ " . 

/ 


* 


J : — ; — 






; 




^ ^ - ' ' \ 




i 

^ ^ / 


* f ^ 





MESSAGE : 
SfeCY 



.MESSAGE. 
'.INTEGRITY 



r-;; * r w , Figure I 



> 



89 



* 1 



SECURrTY 
DEVICE 



r 



TERMINAL 



COMMUNICATION NETWORKS 



, SECURITY \ 
DEi?rCE A 

I — T--n 



encrVpt 



DECRYPT 





• DECBYPT 

i 




1 * 

ENCRYPT ' 


1 





J 



LINfi; ENCRYPTrOftTMODE - FULL OU^'LEX 




A 




SECURITY DEVICE. - 





- 1 


- ENCfRYPT 
7 DECRYPT 

* 


I . I '- 


'dcp 




-r 


■V f -. 
i4- 






■1 




DCP 



t - SECURITY DEVICE 

r 
1_ 



*1 



MCRYPT 



ENCRYPU 



TERMtNAt: 



I. 



90. 



V 



END^TaBfttD MODE- FULL DtJPLEX ' 

V- - ~ 

Figure Ila ^ 



91 



■ ■ *X- 

COMMUNICATION NETWORKS 



4 



LINK TOXlNk ENCRYPTION 



SEND 


t 


$ 

E 


D . 
E 
V 
1 

C ' 
E 






V 


$ 




S • 
E D , 1 






C 






* 


W 


c E •: 






U 




s 




1 




U V 






R 




R ' 




T 


•«— »■ 


R r 


RCV ^ 




1 




' % 




C 




1 a 
















H 




T E 






Y 




1 




* 






Y , 



ND TO £ND AUTHENTICATldN OR ENCRYPTION 










T ^ 




Y 



r 



S 
W 
I 

T' 

C 

H 





, , Figure lib 



s 
w 
r 

"T 
C 
H 




' 9. 



er|c 



-A ^ . - . : ' ' . 

The ead-to-end mode is applkabl^e in systems where no operations 
need be performed on the encrypted data by t^ the data must be trans- 
mitted through a switching network and its privacy safeguarded. An 
example of this could be one IRS branch retrieving tax information on 
\an Individual and forwarding It to a second branch, or th^banklng 
commun>ty*acceSsing credit ratings. ^ 

w 

^ On the other hand, link encryption may be more desirable in the 

field of International Electronic Funds Transfer .where the volume of 
traffic and/Or the message sources and destinations need to be concealed. 

However, you can see tt)at thAemployment of link encryption will be 
more costly since an encryption device is required at each node rather 
than just at the source an^^the destination. 

■ ^ ' ■ \ 

Therefore, a careful analysis of the user's environment and require- 
ments will dictate which mode of operation will yield the level of 
security, desired in the most cost effective way. 

^ *■ ■ 
Noting the modes of operation, we may now Itjok tnto-^the-imol^enta- 
tion aspects of the DES. ^ 

This algorithm can be implemented in a number of ways dependlrtg tin 
the user* s requirements. It can be used in the encryption mode or the . - 
authentication mode; it can be incorporated as an To-built feature of 
terminals or modems or operate as drop-in, stand alone equipnent. Th'is 
^ is illustrated by Figure IIL ^ . - 



Looking at the advantages and disadvantages of built-in versus 
drop-in implementation It can be said 'that 1^ the area of access pre- 
vention the built-in implementation is superior. This„ technique reduces 
the chance that detection can take place between the tefininal and the : 
security device^j/here the text is in the^clear. However, this technique 
may be difficult to implement in existing systems and could require 
> major redesigns. Herein lies the advantage of a stand alone unit which 
can simply be inserted into existing networks wKh IJttle or no impact 
to extant equipment. 

- Due to the myriad of user environments and requirements there will 
be a proliferation of security devices In the marketplace;- arjd indeed, 
one cap see-the need for Imposing standar'ds^ on tfi^s application o^f the ' 
DES so that the impact on existing networks can Be mttiimized , since the 
DES is but a part of the Security Devfce. • ' ' ' 




"VARIOUS^ETHODS OF 
IMPLEMENTING OES IN DATA 
COMMUNICATIONS'NETWORK 



I, DROP-IN DEVICE 



' cLeartext 



^ TERMU^IAL. 



iri^BUILTINTERMIt^AL ? 







7 '' 




terminal" 




r 
1 


SECURITY 


— T 


1 


DEVICE 












< , 

* 





. * CIPHERED 
1 tEXT 



^ CIPHERED * 
TEXT ' 





• I 

III. IN.BUILT IN MODEM 



- TERMINAL 



CLEAR 
TEXT 



Figure III 



MOpEM 



^ 

I SECURITY 
'ij MODULE 



CIPHERED TEXT 




Areas where standardization is^quired in the application (imple- 
mentation }'^of the, Data*Ericrj^p?ion St^^lfard ar^; ' , 

t definition of pan-outs^- sifveral of the IC manufacturers have 
f undertai<en to implement tne DES using CSI technology, ' It \t 
-imperative that these pacl<M(ges be standardized as- far as the 
sfssignment of input/ouJtputi s^TgrrSis and voltages to a common 
' pin cohf iguratioa. This wiul'd parwit interchange^ability of 

the DES device while pennilkiJi&TTOjKfei^ in, the applicatjon 
thg^ device, ' \ ^ 

t power dissipation - particularly wjth in-huTHmOdules where^ / 
^ 3J\ excess,ive power dra'in could have an impact oh existing 
equi pment, . - , ' 

t ' key management - the ability of the^ user to change the key ' - 
^ w1thout-the1namyfacturer's involvement. This area alone is 
, ' deserving of a great deal of attention. It involves the 

< (.generation of the key code book and key assignments to corre- 
"'ispondent users; the physical protection of the keys. The 
methodology of changing the keys and the impact of this change 
warrant Investigation; Should the keysJje generated^by a com-*.^ 
puter? How aften should they be changetf? What is the proce- 
dure if the keys are compromised?!, Thesej^and many ofher ques- 
tilons shpuld.be resolved in the near future by ^ key management 
^ standards committee. ' ' ,> 

ialTr^te^-^a^t^tbe^eresent time 56K;bits per second is the s 
fastest rate at which datFTir^tn^Werred J^ 
fions netwf>rksf, exclxidin^ multip/exifig/ -However, Trrthe-fore^ 
seeable, future transfer rates may increase'a^1d depending upon 
.^clock ra±es and loading anid unlpading scheme's we may find 'the 
' algorithm -processing t4me/or throbwhput , ^reaches aOimit, This 
area should be analyzed and'^'imits t^r ste^ndards) .placed 'on the 
parameters wMth woLhld' affect ^he DESS^eration. ;^ 

I Vlata oonTmUrricatiorts Mnterfaces between\the DJE (Data Terminal 
Equipment) and security devices should beVcarefuTly specified, 
par*ticu,larl^ in light of jiew and proposed \edeiral Standards as 
well :cds thbsM^ industry. ' 

I' Table 1 illustrateis the number of intejfrelatedNstandards for 

data communication system interface^y^Standardv^ng this inter- 
^ fac^ will enable/security device marfufacturers to produce com- 
ponents, and devices with greater assurance of wide applicability^ 
,^hile assuring functional Mnt^c^angeabil ity. 

Various cpmmittees including ANSI x3 committee, as a restrlt^^of - 
a request of the IEEE and the HBS/NCS progi^am within tfie'T^ederal 
Governmeflrf^are starting to work to stJ^ucture this standarS/ 
Burroughs has proposed an interface standard projecl^to ANSI 
X3/SPARC committee for consideration, "' ^ * 



rtUtKAL 

STANDARD 
f 


• ■ . ' ASSOCIATED INTERFACE STANDARDS 


MIL-5TD 


EIA 

— «- 


ANSI 


CCITT 


ISO 


io2o 


I887II4 


RS-422 




Xl27, V.ll 




1030 


188-114 


^# 




X.26, V.IO 




Proposed ' 
1031 




Proposed 
RS-XYZ 




* 

V.24, V.IO 


DP4902/ 


Proposed 
1029 


^ 


fro posed 
'RS-ABC 


> 


V . i4 , 

V.IO, V.ll 


DP4^902 ' 


Proposed 
1040 






Pro posed 

"ANSI 

X.21" 


X.21, X.24 


.DP4903 






RS-232C 




V._24, V.28 


DP2nO, 



TABLE 1 



SifiTvnary of Associated Standards 
(FROM'NCS TIB 76-1) 



t initialization procedures - methods for the initial loading of 
the key and starting'the algorithm process. 

t nesynchronization - standards are needed prescribing the methods 
. for r^esynchronizing the encryption process when synchronization 
is lost due to power transients or transmission errors.' 

t levels of. security provided by the user - if the physical 
security of the/user's facility Is maximum then the security 
device need not have in-built protection devices. However, 
where physical security is easily- compromised tbe key storage 
should be such that upon unauthorized access the key will 
be destroyed < ^ 



/ 




-At 



• error detection - when the integrity of .the message is lost 
through fraudulent alteration a prescribed alarm should be 
given. However, for parity errors or'errors caused by'loss 
of synchronization a different alarm should be raised. 

Each of these salient points requires an exhaustive study as it' 
applies to the use of the DES in order to assure ,th^ users that they 
have equipment which will deliver the desired level of security. 

While there are a finite number of appl ications^ known to date^ 
there will be many^new ways to employ this powerful tool, Befor-e these 
new methods are applied they must be carefully scrutinized to determine 
what, if any^ impact will result in the data coninunicatlon community* U 
is conceivable that as major computer swi tchi ng Tietworks become inter- 
connected the innocent introduction of any nqn-standard element into . 
the-system could cause great confusion and prevent system operation. ^ 

*Some points to consider in any apfflication are: 

• Strive for transparency, ^ . . ' 

• Key stora.ge should be non-volatile except upon ■ 
"tampering by unauthorized personnel, 

• Key entry should be uncomplicated^ 

s 

• Universal applicability is^pore desirable than 
special purpose equipment//' > 

Encryption is the time-henore<i way to keep data safe and secret. 
The, OES algorithm now offers a standardized tool to government and 
the private business sector which through proper use affords the 
necessary level of secufityto meet the new regulations on privacy. 
It remains with us to standardize its appljcatioTts for the mutual 
benefit of the entire community, * 



r 



\ 



/ 



/ 



I 



^93 



Integrated System Design 



Dr* Walter Tuchman 
International Business Machines Corporation 
^Kingston Development Lab 
Neighborhood ftoaci, D69L 
Kingston, New York 12493 ^ 



' The following paper has been extracted from 
the verbal presentation of Dr. Tuchman 4t the 
February I&ct Conference. A written pap^r had 
not,been*?ljbmi tted at the time of publication of 
these proceedings. ^ 



1 * Introduction 

I also have observed during the presentations today that many of 
the speakers have covered some "of the topics that I wish/to discuss* 
However, I would like to take a deeper look into the system archi- 
tecti;re required to support encryption. ' In particular, ■ I would If^ce to 
talk about the facilities that are required'^to generate and distribute 
the encryption keys required by the Data- Encryption Standard, My re- 
mark^ should be taken as a tutorial as I will not be discussing any 
particular product offering* I will be discussing an integrated ap- 
proach to the DES. algorithm and talking about some of its pros and cons 
as contrasted to a non-integrated approach* 
^ . ■ 

2* Implementing the DES at the Terminal 

The DES can now be readily implemented in LSI for use to computer 
terminals. The entire implementation of the DES and its necessary con- 
trol logic can be implemented on a single card and located in a terminal* 
A throughput of one million b'i ts-per-second can be achieved in this ap- 
proach, " ' . . 

For the integrated approach, I am assuming that a message packet 
communications system is available between a terminal and "the central 
Vocessing unit (CPU)/ The data to be protected ,1s carefully delineated 
from the addressing anjd control information in the packet* In this 
approach, where only the data is encrypted, intermediary nodes in the 
network ne^d not hav& an encryption capability nor even know that the 
dati is encrypted. With this approach, performance and security%re 
improved and the cost is minimized* 

- . A vulnerability of data is actually being^esigned into the newer 
cojpputer network architectures* This vulnerabiHty is especially 
prevalent. in a loop network* Data from all terminals co-exists on a 
' ' . ■ 94 



common communication lij^e and every t^iulnal has the capability of 
reading-the traffic po'^ing throu^h^ the line* Encryption , of .the data 
in an. end-to-end secqb/ty network , offers' a unique and cost effective 
solution to this pro^ienu^ / 

ij_^we contrast ihe end-to/end approach with the simpler app/oach 
of link encryption,, /which I call line bracketing, we /ind some Interest- 
ing comparisons* Ffrst, tjie'line bracketing approach can be implemented 
quite simply and will provide security on a simple communication line. 
Line bracketing\boxes have/very little degradation, typi^lly'use ^11 
codes, can be uset^' on pra;:tically all 1-ine disclpline^^nd can befome 
very nearly a universal box for use betwj^en any modem and terminal. We 
probably will sea\ the "fF^tegrated approach and the line bracketing ap- 
proach used concurrently for the foreseeable future, ^ ^ . ^ v 

Some of the disadvantages of the line bracketing process are read- 
ily ^apparent, i,e,/; rn dial-up networks there H no key management 
service, and the U^yk in many devfces must all be the same an'<J must* be 
manually changed,/ j/ine bracketing units usually ^crypt the control 
information as w^ll/ as xhe data and hence, cannot fee used either in loop 
applications or /in/most packet-oriented networks* 

/ / ^ 
3* Implementing the DES at the * ' / , 

There are^ttiree different ways of implementing the DES at the. CPU: 
locating the DES/device in front-end communications processor, lo- 
cating it in th?f channel within^ the CPU or locating it in a hardwa^re . 
device control/led by the CPU^ The advantage of the first is that the- 
identical DESfdevice m^y be used- in the front erid processor. th4t is used 
^n the terminal, Tite DES in a channel requires very high sp\eed capa- ^ 
bilities, peif^3Tpf^50 ^million bi ts-per-second throughput, Th'e* CPU irp- , 
plementation^re^uire^., as does the channel implementation, ntulti-chip 
DES for high^ppeed reasons, ^ ^ ^ ^ ' - 

The .integrated approach of implementi ng the DES as a CPU b^rdwarfe 
device ^requi|^e;s a very careful solution, to the key management pjrpbleni. 
With that in'^mind, I*wi1l define what I call an "optimum" solutton to , 
key managemdnt. and key distribution in an integrated CPU and DES facil- 
ity,* I - . / ' 

Let us design a network consisting -of N devices attached to. a CPU* 
Each terminal has an imbedded, private Device Key (th'e encryption 'key 
to be used/wi.th t!:ie DES), E^h key is different for good/security; Tbe 
question is, "How can any devlte talk to any other devr« if all of the 
keys are d^ f f erent?'* The solution is to maintain a list df all, of th? 
prWate' Defvice Keys in" the memory of the CPU and let the CPU gener^ate a 
new key for use in protecting thi data between any two common devices* 



^Editor's' Note; Dr. Tuchman told a lengthy, humorous story at^ this 
point to.'illu^trate his definition of the v;ord ^'optimum/* ' . ; 



95 



To prevent this list of keys from being stolen or accidentally lost, we 
will encrypt this list of keys with another key which we call the 
Maste r Key.. This key is located only on the DES device and cannot be 
read^by anyone. 

The following Jiappens during a "session" of communications between 
any two of the devices. Let us say that terminal 2 wants to talk to 
terminal 8. The private keys for terminals 2 and 8 are both contained ^ 
in the encryption key list which, of course, is encrypted by the Master 
Key. The CPU generates an encrypted Session Key from a device that is 
time-dependent and pseudo-random, such as the system clock. This en- 
crypted Session Key ( defined to be encrypted under the Master Key and 
n^ver appearing, in^e CPU in its plain form) as well as the Private 
Key for terminal 2 and the Private Key for terminal 8^ are all sent-to - 
the DES device controlled by the CPU. The Ses^sion Key is decrypted 
using the Master Key; the encrypted Device Key for terminal 2 is de- 
crypteti U5ing the Master Key; and then the Session Key is encrypted 
using the Device Key of terminal 2. Similarly, the encrypted Device 
Key of terminal ^8 is decrypted using the Master Key and the Session Key 
is encrypted using it; The encrypted Session Key is then sent to ter- 
minal 2 protected by the Device Key of terminal 2 and the encrypted 
Session Key is sent to terminal 8 protected by the Device Key of terminal 
8, The Session Key is then decrypted at terminal 2 and at terminal 8 
using their respective Device Keys. Thus, both .terminal 2 and terminal 
8 have the sare Session Key and will be'able to communicate. A 

That is the "optimum" solution we have found for'key management in 
an^xtntegrated systejn design/ 




-An LSI Implementation 
^ of the 
Oata Encryption Standard , 



^ Howard 0, Wright ^' 
Rockwell Interna tional 
Mail ,Sta-tion 503-200 
4311 Jamboree Road 
Newport Beach, CA 92663 



. This paper describes an LSI circuit designed 
to perform dat^'^ encryption using the algorithm 
adopted by the National Bureau of Standards as 
the Oatd Encryption Standard, The encryption unit 
enciphers/deciphers da,ta in 64-bit blocks. ^^KtN^ 
input data and outp^ut^data are buffered, allowihg 
the urHit to sustain a data rate up^to^l,6 Mb/s, 
The uryt has tri-state busing capability and is 
.a versatile LSI unit, designed for use in a wide 
variety of applications. The unit is sufficiently 
small in size and Vow in power consi^mption and cost 
that it. wilV allow data enciphexpfent to be used in 
systems in which' the use of enciphSrment v^s pre- 
viously ^economically unfeasible, * . 



Key words; Encryption; LSI; MOS ; security, ^ 



1 Introduction , 

Collins Radio Group of Rockwall International Corporation .has im- 
plemented^ an^MOS circuit that is designed to iperform the algorithm 
.deSignate'd by the (National Bureau of Standards as the Oata Encryption 
Standar(f (OES),J/ The 64-bit block enciphering sy^^eni described herein 
consists of^ a method of enciphering or deciphering a 64-bit block of 
-^nput data into a, 64-bit block of output data with a variable, 56-bit 
key. > 

A single, 40-pin. MOS pircuit is described herein that perf^ms the 
algorithm function and accomplishes a task that previously required over 
100 medium scalfe integration (MSI) circuits to implement. The purpose 
of this paper is to describe a large scale integrated (LSO circuit 
implementation of this algorithm* Rationale for the implementation and 
some of the ways envisioned for the circuit use will be discussed* 



DATA PATH BLOCK DiAGRAM 



START — 

ENCIPHER/. 
DECIPHER 

OATA 

INPUT _r, 




1 



INPUT 
BUFFER 
R^G* 
64 BITS 



DATA INPUT • 

■STROBE 

BUSV ■■ 



64 




ALGORITHM 
SECTION 



64 



V 



OUTPUT 




BUFFER 




' REG ■ 


64 BITS 









TRI- 
STATE 
DRIVERS 



-6 




DATA 
OUTPUT 



DATA OUTPUT 
STROBE 



Figure 1.. .Data Path Block Diagram. 



103 



2 • Archi tecture 

V 

The architectural design of the LSI Encryption^unit was influenced 
by a number of application and technical parameters. The largest anti- 
cipated application for the units is'rft ,the -tfy^minal field/ Many ter- 
nrifials are being designed around 8-bit, character-ori^ented microprbces-^ 
sors; there.fore, architectural design was directe^d toward an 8-bit 
parallel input/output (I/O) termi|ial with busing capability. The de- 
sign was also inf luencecf^by "ini ti al customer requiren^nts for a unit 
with a throughput^apabHlty of at least 1 Mb/s. 

The basic data path architecture for the LSI encryption unit is ^ 
shown in figure. 1, The data enciphered/deciphered are loaded into a 
64-^it input buffer register, 8 bits at a time, using the data-input 
strobe line to control the transfer. Eight data input strobe pulses 
are required to complete the loa<l of the 64-bit input buffer. ' The' 
6,4-bit input register is- implemented using eight 8-bit shift registers. 
The Initial permutation defined by the D£S is accomplished at the input 
register by connecting the 8-bit inpyt to the shift registers. Follow- 
ing a load of eight 8-bit'bytes of <iatd,, the contents^bf the input reg- ■ 
isterwiU be as defined by the DES initial permutation table. > 

Once the input buffeV has Been loaded', the start line will be' " 
pulsed to initiate operation of the algarithm section. The: start pulse 
caused the contents of the, input buffer register to be transferred to 
the algorithm section, and frees the input buffer register to receive 
another block of xiata. One pin on the unjt ^s used to specify whether 
the processing is to encipher or decipher the input message. In either 
case; I/O is identical". 

To allow the unit to sustain a data rate up'^o-l.e-Mb/s in a pipe- 
lined mod^ of operation, 64-b1 1^ buffer registers are used on both'input 
and output. This type of architectural design allows simultar\eous data 
input, algoritnm un'it Processing, data output. 

The. output btiffer is a 64-bi t 'buffer that is organized*as eight 
ff-bit shift registers. Th6 inverse of the TfriTf^ri^TJ^rmutation is * 
accomplished at th^.output buffer in the same manner as the initial 
permutation was accoftiplished 'at the input register. A data output 
strobe line is used to t>:ansfejr 1 bit fr^m each of #he eight registers 
to the output pins of the unit, and the data in each of the output 
,buffer shift registers is shifted down 1 bit on the falling edge of the 
data output strobfe. Eight data output strobe pulses are required to 
extract the contents of the output buffer register. . 

Two additional control signals are required to use the.'unit in t^t 
pipelined modfe of operation: one is<the busy signal, and tWe other is 
the enable output' Ujiffer load^signal. 



99 



When the algorithm section is processing data or when it is holding 
previously processed data while waiting to load the oujtput buffer, a busy 
cbndition is indicated. by ^he busy signal,^. The busy signal gbes high ( ■ 
^ following a start pulse^and remains high^until the algorithm section 
has transferred a block of 64 bits to tffe output register. Th^ falling 
edge of the busy signal' is an indication to the external control logic 
> tfiat dat^ is available in the Qutput buffer and that the start line" can 
be pulsed to start a new processing sequence. i 

The enable output buffer toad signal ]we is pul&ed to indicate to 
, the algorithm section that tfie/output buffer can be loaded when data i-s 

available. Tor normal block enciphering, this line will be pulsed after 
^^^Jtj^ eighth data output strobe/has emptie'd the'outf^t buffer. Although- 

the buffer, empty signal coulabe generated internarto^ the chip by 

countin^^ight data Output strobe pulses, there are cases in whnch only 
* a few of the 64 output bits are actually used;, therefore, allowing the, 

external log>c to deteicmine when the output buffer can' be loaded in- 
\ creases-- uni t versatility.' ■ ' ^ ' ) 

2.1 Key Variables ^ ^ ' - ^ ' ^ 

" The key variable used by the algorithm section is stored in an in- 
temal 56-bit key register. The^method of handling key variables during*- 
load of the key register was i^^fluenced by the requirement in some^sys- 
tems to ensure- complete physical separaticfn between key variables and 
4iormal data paths. Consequently, eight pins gn the package weT*e de« 
voted to'a clear key port for use in entering clear key variables into 
the unit, as Shown in figure 2. 

^ A' key strobe is used to enter key variable data, 8 bits at a time, 
into the unit through the clear key port inputs. Each 8-bit. group is 
checked for odd parity as i^t is entered. Following removal of the 
parity bit, 7 bits of key variable information are entered into the key 
register efach time the key strobe line is pulsetf. A parity error line 

V is available'on an output pin and wilVh^set if odd parity is not pre* 
sent on -the clear key port while the key strobe line'is high. 

In addition to having the- capabi li ty of loading a clear key^.through 
the clear key port, as described, the unit has a provision for decipher- 
ing key variable data in the algorithm section, checking the resulting 
^ clear key data for correct parity, and transferring the^result to the 
Key' register. This process allows keys to be entered into the system ' 
in , enciphered form. The 'enciphered keys can be carried to the^un'it by 
ourier or can be transmitted to the unit via the n4)rmal fcoimuni cations 
ath. 

4 t 

When enciphered key variable data are entered ^irjto the input buffer . 
over the normal input data lines, the ^re key line is pulsfifd instead of the- 
start line to start the algol^ithm. When the algorithm/unit has completecj 
deciphering the key variable, il is loaded into the output buffer, checked 
for proper parity, and finally .loaded into the key register. During this 

100 



^REKEY 



BUSY 



o 



CLEAR 

KEY 8 
PORT 



r 



KEY PATH BLOCK DIAGRAM ^ 









OUTPUT 


ALGORITHM 




BUFFER 


SECTION 




REGISTER 


^ 








TRI- 
• STATE 
DRIVERS 





<2 



ODD 
PARITY 
CHFCK 



Z\ 











SELECTION, 
GATES 


8 









PARITY 
ERROR 




^EY REGfST^ 

TO ' ' K POWER 
ALGORITHM 
SECTION 



Figure 2. , Key Palff Block Diagram^ 



process, the tri-state drivers on the output are forced off to prevent 
cleai^key variable data from being observed on the output. 

An irDportant security precaution is taken during the rekey process' 
by gating oVf the tri-state output, dri vers and clearing the outpjut buffer 
following the rekey process. This feature, when coupled with a ?uU#ble 
key dis-tribution procedure, can help prevent a covert attempt to obtain 
^ey variable infDniiation from the unit even though an intruder has access 
to the unit's circuitry. This is particularity important at an unsecured 
remote terminal site, 

* 

The capability to power the key-register through a separate power 
pin, which all6ws a small battery backup to be designed into the systein 
to provide nonvolatile key storage (lasting up to several days during 
power outage condition), is an additional feature designed for use at 
a remote terminal . ^ ' ' 

2.2 I/O Busing ^ * 

To facilitate using the unit -^in systems built arouOd a bus concept, 
two signals were added that allow the control signals previously dgs- 
cribed_to be bused. A control enable signal was ANDed with the start, 
rekey , -enci pher/deci pher and the enable, output buffer load Itnes, The 
control enable signal is^designed to be conhected to the addressing 
function Associated with -the bus; and, .when a bus output sequence is 
addressedtto the control inputs of the algorithm unit, the control en- 
able 3ignal is moritentarily raised to ^ate the state of the four, control 
signals, from the bus into storage elements within the unit. 

The busy and the parity error signals are gated to the output pins, 
of the unit through tri-stite drivers. The drivers are enable^ by a ^ 
status enable signal that allavs the busy^and the parity error signal's > 
to be gated onto the bus when Ddcfnessed by thfe bus addressing function. 
For systems that do not employ busing, the control enable and the status 
enable si^a^can be tied to a logical 'state and ignored. 

2.3 Algorithm Section ^ 

The block diagram shown in figure 3 illustrates the complete en- 
crypt.ion-unit including th^ algorithm section- As previously described, 
the initial permutation (IP) is performed at the input buffer. Data are 
transferred from the input btiffer <to the 32-bit registers L and R to 
begin a*processing cycle- A processing cycle, either encipher or de- 
cipher, is accomplished in 16 processing iterations. As defined by the 
E bit selection t a bl_e in the PES, 48 bits are selected from the R regis- 
ter, and are EXCLUSTVT^&d witfi^sFlectegl"bits from the key register as 
defined by Tabte PC-2 of the DES. The resulting output is used to ad- 
, dress Read Only Memaries (ROM's) Si through S8. Output-bits from the . 
ROM's are selected according to the primitive function P, and are ex- 
clusive ORed with the 32-bit contents of the L register, The^final step 
-+n an iteration process is to^.transfer the contents of the register to 
the L register,, and to transfer the results of the last exclusive OR into 
the R register, --^^ /^"^ 




COMPLETE ONri BLOCK DtAGRAM 
0 



tins 



SELECTION 
<rArES 



RECi&TEn 
1? 



"Et 



3J * ^—[/ 



1>Ei f U'lON 



— \/ 1?/ 




0*U 





ojrs 



7> 



Output 



Figure 3. ■ Complete Unit^Bloek Diagram* 



V 




STATE 



OAIA 

OUTPUT 




Between iterations* the key data are rotate'd in the key registers, 
as defined the DES- .F^nowing the sixteenth iteration, data are 
transferred to the output Jbi^f^^i^registeri and the inverse permutation 
is accomplished at tne ^wtput of the putput buffer registers, as 
previously described. 

2,4 Final fn^oducf 

Jhe circuit is_ built using PMOS technology, and is contained in a 
40-^p4n package. TtTe unit requires +5'and -12 volts and^di ssipates 300 
MW of pcfwer. A free-running clock is required to rpn ^he algorithm 
section. The time ^o process S 64-bit blt>ck of data" is dependent upon 
the speed of. the clocks ancj/is. <3efined by : 

TimQ = {Period ClocM (64) ^ 

The maximum clock frequency cannot^ exceed-1 .6 MHz. 

3. Applications V ' ■ " ^ " , 

Figure" \ pT:esents an example of how Ihe unit carK^jused in a ' , 
microprocessor system. The unit i5 completely under the control of the 
processor^ The p^^oceisor loads ttie unit wi.th,64 bits;of data to be en- • 
ciphered or deciphered,. starts the unit, and then reads out the 64-bit 
result* For applications requiring liigher throughput, ^niore ttUn one unit 
can^e connecteiJ to the bus; also, the unit could be <;pnnected tQ the 
hus through a" DMA channel to relieve the processor of 'handling each byte 
of data. ^ 

'There are many applications in which the requiremenx ttf handle en- 
ciphered^ data in blocks of 64 bits is too restrictive {i.e\ the case of 
an interactive terminal conrlected to a processed:) . For such applications 
*the algorithm unit was designed to support a cipher feedback system* In 
this mode' of operation', data are enciphered by EXCLUSTVE ORing it with ^ 
the output^of the a^lgorithm .unit-,. ^Tlie;eii€4phfered ddta are then ^-loaded— - 
back into the algorithm unit and' the algorithm unit is started.. After I 
the algorithm unit has loaded" tt§" output register, the next clear text 
data are enciphered, and the_cycle repeats. On^ly 8 bits of 'Jthe 64 bits 
generated each cycle.^ the output of the algorithm unit are used, an< 
the unit Is cycled after only'* 8 bits have been loaded into the input 
regjster. The input to the algorithm for each c^cle then becomes the 
previous 64 bits of enciphered data. 

This system has the advantage that, once eight characters have been 
passed through the system -to synchronize the receiving algorithm unit, a 
character* wi 11 be" deciphered at the receiver for each character input at 
the transmitting end. Therefore, the block enciphennent requirement is 
eliminated, ■ ■ - 



ro9- 



MICROPROCESSOR BASED SYSTEM 



MICRO PROCESSOR 




COMMUNiCATION 
INTERFACE 



\ . 



\ 



\ .MICRO PROCESSOR BUS 




MEMOaV 



DATA 1N DATA OUT ■ ,C0NTR0L\N STATUS OUT 

; , ^ DES'ALQORltHM UNIT ' 




Figure A. Microprocessor Excised System, ' 



110 



0' ■ \ 



. , Similar techniques can be applied to handle serial data, or data in 
any character wi dtfi\ fromSL, to 64 bits ; ^however, when data ^path widths 
other than multiples' of eight .are used/an accumulating*register at the 
^ input to tne algorithm units is required* 

4. ■ Conclu^i on . , ^ 

* The 64-bit block enciphering circuit is a versatile L5I unit with 
high throughpuVrapability that was designed^for use in a wi^de variety 
of ^applications. The. unit defined herein provides the system designer 
* with a powerful and cost-effective tool fo;r solving many of the data 
security problems 'that currfent\y face the industry. The unit is suffi- 
ciently small in size, .and low in power consumption^and cost, that it 
will, allow data encipherment to be used in systems in wMsst^ the use 
lof ^encipherment' was previously economically unfeasible. 

5, " References 

y "Data^ Encryption Standard,^ Feder^ Informati on Proems sirxg--^ 
Standard Publication 46, National^ Bweau of Standard^ , "January -1^7 1977 




/(I 



A Microprocessor Controlled 
LSI Implementation of the 
Data Encrjrpt ion/Standard 



KeitM Warble 
Mot OT^fl^iarv Inc ^ 
Government ^Tecft^^ics Division 
Scottsdale, Arizona 

and ^ 

Durrell Hillis' 
Motorola Iric . - 
Government Electronics Division ^ 
Mail Station 2289 
8201 E, McDowell Rd- 
Scottsdale,, Arizona 85252 
Telephone: (602) 949-4735 , 

' Presented is an LSI implementation 
of the Data Encryption Standard, Tfie 
device has been developfed* for use with 
microcomputer based data processors, with 
^^cryption- or ^cryption of 64 bit blocks 
inputted and outputted through a single 
8 bit tri-sta*e , bus pprt^ A single t5 
volt supply powers the 'IjSI chip; block 
processing time is 160 microseconds, ^ 
allowing typiqal HPU conf iguraltions to 
operate over 200 Kb]/s . The unit possesses 
two key registers to facilitate downline 
loading of encrypted key, with on-chip 
decryption and error checking under the 
control of a resident master key ^ Con- 
tinaal checking of the ope^rating *key ^ 
dulling algorithm execution as well as 
during key load provides an economical 
degree of security f or ^ many applications^ 



Key words; Commuiiieation; Encryption; 

^^JiSTT microprocessor ; MOS * 



107 



Introduction 



A*Jiardware LSI impiemert tation of the Data Eacryptron 
Standard has been developed at Motorola Government Elec- 
tronics Division* The cjevice, called the Data Security 
Device (DSD) ^ performs -^the 64 bit >lock encryption or 
decryption -^accotnaing to the Federal Standard algiS^ttw^^'^-'-^^^ 
utilizing one o|^-two 56 bit keys stored on chip. Plain 
and cipher data blocks are inputted and outputted through 
a single 8 bit tri-grlate I/O port, so, that minimum load 
is presente^rNto ^ microprocessor data bus* 

The DSD is 'conf inured on a Silicon Gate N-Channel MOS 
Depletion Load LSI chip contained in a ^ pin package to 
minimize device cost . ' 



This paper -will discuss the flexible control features 
of the chip design, and Applications of these features in 
secure data mo'dule implementations* 

2» Data Security Device Construction 



The Data Security Etevice was designed to provide the 
DES security function for many existing terminal, link and 
computer systenjs* Since a large num^ber of these systems 
now utilize microcomputer devices for processing and for- 
matting or data, emphasis has been placed upon the ease of 
implementing'security with the DSD chip in existing micro- 
processor hardware Use of a single 5 volt power source, 



conventional 
are features 



clock sources; and minimum data t>us loading 
of the DSD * 



3. 



DSD^ Architecture 



appears ^o an M]?U system as 
An illustrative example of 



The Data Seimr-tty Device 
an Interfjj^e^-'Aaapter device- 
sucij^'-ar^ys tem, with the encryption function added, 
fn figure 1, " . * - ' 



is shown 




108 
1 ' 

^ ^^ 



Mt6800 
MICROPROCESSOR 



READ ONLY 
MEMORY 



PERIPHERAL 
INTERFACE 
ADAPTER 



DATA 
*^,BUS' 



1 



I 



ADDRESS, 
BUS 



COMMUNICATIONS 
/INTERFACE 
ADAPTER 



[— — ' — 1 








RANDOM 




DATA 




ACCESS • 




Security 




MEMORY 




DEVICE 





JUL 



MODEM 



. Figure 1 

M6800 MICROCOMPUTER FAlOlfLY 
BLOfcK DIAGRAM 



kliii 



/ 



Internal tionstructiori «5f the DSD-is illustrated by 
the block diagram of figuj^e 2.- The device consists of a 
singly -8 bit Da'ta Bus Bu/fer wi^h tri-state operation, 
through which data may be entered into 64 bit Active o,r 
Major Key Registers or a 64 bit Data Block Register. 

_0utBiiJMa^«^-fi*omA-^ff^Sta"ti3^ of~theT5ata"Br6cR 

Register is also -switched through the Data Bus Buffer. 



Data 
BUS 



THREE 
STATE 

OOTPUT 



INPOT 
S£L£CT 
LOGIC 



OUTPOT 
DATA 
MUX 



ADDRESS 

TIMING 

AND 

CONTROL 



i; 



4DDRESS 
DECODER 
AND\ 
0£VtCE 
CONTFtOL 



INTEFtROPT 
FlEOUEST 



stat us 

REGlST^ft 



«4aiT - 

DATA 
RE GISIER 



DATA 
KEV 
SELECT 



ALGORriHM 
LOGIC 



0 



2ti BIT 
S MAP 
ROM 



ACTIVE 
KEV 
JlEGlSTEft 



0 



Parity 

LOGIC 



MAJOR 

'nEGrsTEF^ 



Figure 2 

DATA^ECJURITY DEVICE BLOCK DIAGRAM 

{DES ALGORITHM) 

' " * 109 



At the bus interface, the .Data Security Device (DSD) 
appears as eight addressable memory lo^^ations to the MPU, 
through which the operational mode of the chip may be 
select(^d, chip status monitorecl, key or data written into 
the device, and data reajj from the device* ^ 

As shown in table 1, the operation of the DSO is split 
into five major modes: (1) Data Encryption, (2) Data De- 
cryption, (3) Loading of'Data or Encrypted Key, (4) Data 
Reajlput and (5) Status Readout. Theisfe and additional 
control modes are activated by three address input lines 
and a Read/Write input command. ^ ' 



CONTROL ADDRESS 


r 

OPERATIONAL MODE 


AO 


A1 


A2 


R/W 






0 


0 


* 0 


WRITE DATA/-C" KEY OPERATION 


1 


0 


1 


0 


ENCIPHER DATA 


Ql 


0 


1 


0 , 


DECIPHER DATA ^ 


0 


0 


1 


1 


READ DATA 


1 


0 


0 


1 


REAO STATUS ' 



* Instruction pertormed durirtg eighth byte ot Oata 
^ S{Qck entry. ' > . 

Jiitf. 1 _^ ^ _^ ^ * 

'^Tablel. ^ ^ — 

MAJOR OPERATIONAL MODES 
OF DAtA SECURIJY DEVICE. 

-Table 2 illustrates additional control operations 
which initialize the' chip and tJetermine the openitional 
key to be used. Since the writing of cipher'ed^ey appears 
as data to be processed, the con^trol address present at 
the eighth byte of data block entry is used to 'determine 
whether the processed data can be made available for output 
(valid data) or loaded into^ the Active Key Register. 



CONTROL ADDRESS 


* 

CONTRO^MDDE 


AO 


A1 


A2 


R/W 


• ■ \ 

RESET/INITiAUZE J 


1 


0 


0 


0 


0 




0 


1 


ACTIVATE MAJOR KEY 


1 




0 , 




ACTIVATE PLAIN SECONDARY KEY 


1 




1 ^ 




DECIPHER SECONDARY KEY 


0 ^ 




1 


0 


ENCIPHER SECONDARY KEY 



* Instruction performed during eighth byte of'Key^ 
Block entry. v > 



CONTROL MODES OF DATA SECURITY DEVICE. 



4, Chip Initialization 



the 
The 



A RESET sigixal input to the DSD ffe used to initialize 
internS^l control logic, status flags, and counters ^ 



RESET function fehould be cpupled, with, the system power 
on reset to provide orderly system initialization and also 
may be used as a master reset tdkhe chip during system 
operation,, ^ 

Reinitialization majT^lso be performed under software 
control by a write command under 'address control AO = 1, 
Al = 0, A2 = 0, R/W - O: * 

/' 

5. Key Operations - ^ 

Two key registers in the DSD allow storage of a Major 
Key while processing data with an Active Key. Both key 
registers are loaded through the data bus port, with com- 
mand addressing dependent on the form and destination of 
the key. 

The prime or^ master key is entered into the Major Key 
register ^and simultanec>usly checked for parity error and 
loaded into^the Active Key Register. 'During algorithm 
operation, the DSD continually performs parity checking 
on the contents of the Active Key Register. 

A secondary key'may be loaded into the Active Key 
Register in plain or ciphered form.. If the secondary l^ey 
load command shows a cipher key operation, the DSD will 

. ^ ^ 111 V * 



process ^e key using the present Active Key; .The DSD must'- 
have previously been loaded with either Major Key or another 
Secondary Key * A^f ter algor itKm process ing , the DSD trans- 
fers the deciphered Secondary Key to^Active Key Register 
while checking parity* Should the Secondary Key contain 
parity errors, as is possible with down line loaded data, 
a repeat cipher key operation may be: performed using a 
Major Key transfer. During Stecondary Key or transfer operr 
ations, the contents of the Majof Key Register are\ preserved 



Enciphering of Data 



For the enciphering process to take place a key, major 
or secondary, must be resident in\t>ie Acti*e Key Register, 
Data is written into the device in« eight erteht^^bit bytes 
under software control. The. first seven h^es are written 
into the device und^r address control AO y^^y Al = 0, 
A2 f= 0, R^W = 0, The eighth byte is written under 



address 



control 

byt^j 



AO 



Al 



0, .A2 = 1, n/T ^ 0. 



After the eighth 

has been written, enciphering, of the Data block auto^ 
matically conunences utilizing- tKe key^stored in the Active 
Key Register, * , - , 



As the enciphering algorithm^ is initiated, the key is 
checked for parity error, which if detected^ sets the 'Key 
Parity Error flag. Any, external action other than a read 
request of status <A0 = 1 , Al ^ 0, A2'= 0, R/W 1) during 
the actual enc ipher ing^ process will be ignored by the 
device^ * ' I 

-At the completion of the enciphering process, the 
enciphered data may thread from the device under soffV^re 
control. For some system applications', e.g;, cipher f^d- 
back operation, it may be desirable to enter a new block 
Of. data without reading but the total block previously 
enciphered. Input of new, data without total readout is 
therefore not precluded by the DSD," 



Deciphering of Data 



The process of deciphering of data is operationally 
the same as the enciphering process with* the exception that 
the eighth byte of data is written into the device under ^ 
address control AO = 0 , Al = 0 , A2 = 1 , -r/w = 0.- 



8, Reading of Data and Status. 

■ f- 

Data may be' read from the device in eight-bit bytes 
under address control AO = 0, Al = 0, 'A2 = 1, R/W = 1. 
Any attejflpt to read data while the device is "busy" will 
be ignored , . , - 

112 ■ . ' ■ ' / 



1* - 



Two device^ status bits are provided waich^^can be read 
from^ the device, under software, control (AO = 1^ Al = 0^ 
> A2 = Q, R/W =*1)- Key'Paritjr Error (PE) appears 6n bus 
' -data line DO, and^Device/Biisy appears on bus data line Dl , 
D2 through D7 are held to, logic 0 during a read of statu^,. ^ 
PE and BUSY are also provided in QX>iaplement for irb°ag "ope n, 
dray^" discrete outputs from the device as Trq5 anjij IRQB 
for use as interrupt request* and/cyr status di^play*!^ ^ 

9, Device Operating Configurations ; ^ 

.-The is packaged in a 24 pin Dual In-Line^packajge » 

, In addition to Data, Address and Stati^ Interrupt' pitis , six 
pins arTe used for Chip Enable arid' five Chip Sel^t llnes, 
so that several , DSD's may be^ operated und^r the con1;rol,;^i=*^ 
one microprocessor, A free:i^wining 2 MHz clock^synchr<5-^ 
nizes the DSD with MPU coilf igurations ; for M6800 configura- 
tions, the- MC 6871 or MC 6875 clock genera^x^r providtes^ 
1 MHz system clock to the MPU and 2 MHz to the DSD^ Undjer 
this configuration, a block processing time of 16^^cro- v 
seconds, 'and typical input/output of\l20 m^cro^e^conds yield 
a maximum data encryption ras^te of c-a^fiproxiinatelyr *Kb/g\ 
DSD ope);ating ROwer dissipation averages 450 milliwatts in' 
this configuration, , ^\ ' < ^ 

Figure 3' shows a typical systejn, application^ of the 
DSD/MPU configuration operating in tlie Cipfter Fee<5|ba^ / 
(fCFB) Mode. A Peripheral -Interface Adapter is-Tisea t^ 
input unciphered data and output cipher, data oil a »byte- 
by-byte basis, Th^ configuration makes u%e^ of tbe MPU^s 
exclusive OR instructipn and the pS6's encrypt and' decrypt 
capability on consecuti\?e gperatidns. Each character pi4<w 
byte of data is enciphered t>y exclusive. ORing,wt'th a byt^ 
of the last encrypted block from the^DSD. the DSD thenA . 

^ decrypts the cipjtier block to recover the. previoya eirciphered 
data block and' updates this block with the new encipfiered 
data byte- Because approximately 46q microseconds are 

^jeqiiired for each character processed, the <3ata I'ate CFB 
is slowed to 20 Kb/s- A minor modification to th.e*iDSD chip 
add?ess logic is required to perform CF^ operation/in accor- 
dance with NBS Guidelines. Howev^V, it may be dfesixable to 
allow room for differing versions of .CFB to reduc^e the bit 
error extension difficulties anticipated for soirie .cpmAunica- 
tions links ^ a * - , - ^ 



DATA. 
SeCURlTV 
^ 0£VtC£ 



RfOC£SSDR 
UNIT 



PERIPHERAL ^ 
)|^ INTERFACE 



BUS A 



^ MODEM 



LINK 



AOAPJER f > OATA 



BUS B 



CIPHER FEEDBACK MODE OPERATION 



CYCLE 


MPU 


— - 

OSD- 


A 


PIA 

B 


1 


FETCH OATA 


ENCRYPT LAST BLOCK 




^EAO OATA 


2 


FETCH CIPHER 


REAO CIPHER BYTE 




SENSE OATA 


. 3 


COMPUTE OATA 
© CIPHER 


OECRYPT BLOCK 

J. _ 




STORE OATA 


4 


REAOO ® C 
* 

* 


^POATE BLOCK 
WITH 0 © C / 


WRITE 

a © c 





Figure 3 

DATA.SECURITY DEVICE SYSTEM 
APPLICATION WITH CIPHER FEEDBACK OPERATION 



L 




The blbck diagram of aWersatile unit for 
encryption is sliown in figure^4* The unit is coiJfTgjured 
a^ a plug in Security^ Module ror *the^ M680e, EXORcisei? Micro- 
computer development system^ A 9*' by ,6*' board containing 
the DSD, Address and Data Bus buffering allows the MeSOQ, 
Security Module to adapt ithe EXORciser^ to a secure data 
terminal. Option&l Erasable Read 6nly Memory in the module 
can be addressed to load selected encryption keys into tfie 
DSD. The Module, can be prograJnmed to operate in ttip Block 
or CFB cipher mode to provide the EXpRciser capability for 
use as a flexible secure data terminals ^ 



AO > 



ADDRESS 
BUFFER 



AO I A9 



OPTIONAL 
£R0M 
(2708) |-«Y 



, . ADDRESS 

AlorSlS) (-SELECT'^ 



SWITCHES 



ADDRESS 
DECODE 



CS 



DATA BUS^- 
SELECT 



A3> 

A15. ADOPE^ 
) SElE 



ECT 
SWITCHES 



IT) 



ADDRESS 
DECODE 



!=5H 

^-CS 

I T T f 



AO 



B/W ' 
RESET - 
VUA ■ 



CONTROL 
BUFFER 



EN 



R/W 



DSD 



PE 



BUSY 



J" 



DATA 
BUFFER 



WE 



55 > D7 



2 Xl^C 



CLOCK 
GEN 



BUSY 



Figure 4 

MOTOROLA M6800 SECURITY MODULE 

114% 



i 



lO. ' Conclusion 

'The Data Security Device, an LSI implementation of the 
Data "Encryption Standard, provides a flexible means of 
incorporating data security into microprocessor based tei:-< 
minals and minicomputer systems. Design features which make 
.the chip appear as an addition£i.l member of a microcomptiter 
family allows economical hardwai'e and software solutions to 
growing computer security needs. 




APPENDIX 



Question and Answer Session c 



The following questions were submitted in writ- 
ing during the Qonference, The, answers were prepared 
by either the speaker, the session chairman or the 
editor. 



Question: To Scott Taylor, Collins of (Rockwell International 

I > ' 

Did xou say^that the cost would decrease at the same time that the 
speed and density increase in LSI technology so ttTatlwe get a factor 
of 1000 improvement over the next five years? 

Answer : ' ^ ■ 

No* "You can optimize on arty one of the parameters J)ut you cannot 
optimize or^^all of them at the same time so that you will get this 
high a factor of improved iTSI efficiency ijn the next five years. The 
actual improvement will depend upon whatever factor is being optimized 
^and the cost of optimization, * 

Q4&sti on :' 

How does one obtatn a copy of the document referenced by Mr, McDonnell 
on EFT security? * - 

Answer : 

By writing to the National Corflmission on Electronic Funds Transfer, 
Washington, D, C, 20429 y 

Question : To Barrie Morgan, Datotek, Incorporated 

How do you suppress control characters in the cipher text of a DES ■ 

device? , ■ - 

/ - ^ , - - - 

Answer : " , - 

The algorithm used to suppress forbidden characters depends on the code 
set being used, ^ ASCII and EBCDIC each require different forms of 
suppression. In some.cases, ^_look*up table caa^^JlSJ&d^ _^ 



116 



Question: 

— - ^ ^ \ 

Whom may I contact to obtain more information on DES protocols in 
communications applications? , * 

Answer: • , 



There are tWo sources; Dr* Deiuiis K* [Jranstad of NBS, phone number 
301-921-3061; and Mr, Ed Stephan, GSA,. phone^mber 202-566-1180. 



(fuestion : - ' . . . ^ 

Would Nes please reconcile the fact that an encryption algorithm 

capable of being implemented^in either hardware or software is 

needed, but that the DES is.only to be implemented in hardware? 



-Answer: 



The DES is only to be implementeid in hardware, i,e., electronic de- 
vices with read-only memory, micro-programs or in dedicated micro-; 
pr^cessor^. T|\e DES can be 'validated easily in these forms' and 
is ^very ?nf ficult to be modified by unauthorized people. Soft- 
ware- may J>e used to interface the DES^device to its application. 
Software algorithms were not consi^dered in our solicitation or 
bur evaluation for these reasons. 



Question : To BaVrie Morgan, Datotek, Incorporated 
i 

If messages consist of digits only (typical of EFT trart!^tion data). , 
,is" the security provide^H^y OES compromised by enciphering only the least 
significant bits of an 8-bit code? - , ^ - 



Answer 



To the best of our knowledge, the security provided by the DES will not 
be compromised if only the least significant bits the data code**di^ 
enciphered. This technique may be used to assure that control^ characters 
do not appear in the cipher stream. 

Question : To Stephen Walker, ARPA 

In a packet oriented system, such as HDLC, how can encrypted data be 
routed? , * ' ^ " 

Answer: ^ ' \ ' 

End-to-end encryption techniques, applied 1n packet-switched networks, 
require that one encrypt the" data only. The headers and control 

M17 ■ • ■ 



. 122 



information must be transmitted in the clear. If the' acl^dress information 
i^ sensitive, then link encryption must be used also between tfje switcties. 

Question : To Scott Taylor, Xbllins of RocTcwgll International - . 

What is the overall Effective speed in the Collins implementation of the 
DES? ^ , , ' 

Answer : ' • ' 

"Ke* megab^its.. On the CoMins chip, input, oytput^ahd processings are all 
done* in parallel in order to achieve this high throughput. 

Question : To Kris Rallapalli, Fair^hild Semi -Conductor 

Wh|^ is the approximate cost of the Fairchild four^chip DES, device? 

Answer : ^ ' 

The estimated price at this time is $20Cf.Oo! 

* - • 

Question : ' / - 

What interest has the SOvemmeirt expressed in implementing the DES in 
military cryptograpWc equipment? 

Answer: . ^ 
< 

The res was not designed for use in military applications. This is 
clearly stated in FIPS PUB 46. * ■ 

^ Question : ' ^ • 

}he Office of Telecoimunications Polipy Circular 15 si gni ficantly ^ 
downplayed the need for encryption to protect privacy in data communi- 
cations. What is the position of NBS,*in Vesponse to this ques^^ion? 

Answer : ' ^ ^ ' * ' ^ 

The Privacy Act of 1374 does not explicitly require encryption. This ^ 
law does require thati an adequate level of protection be provided for 
sensitive data ip higii threat envi rgnments. Circular, ,15, as drafted 
by .OTP, simply states that most personal data handled within the Govern- 
ment does not exist in these^ envi rorynents. It does not s:ay that en- v 
cryption cannot be used. 



c, 



Question > To Kris RallapaHi, Fairchild Semi-Conductor 

How would a, DES device encrypt a file on a storage unit such as a mag- 
rtfe^tic tape so that it is "different" f^om a similar file on the same uniti 

Answer : * - ' 

Encrypted data is not Inherently different from unencrypted data. The 
DES is totally transparent to dajta cod^s and likewise protects all 
possible data/cpdes. ^ Therefore, a dat^ file must be marked in some way 
as being fencrypjt^d.' , Jn addition, the cryptographic protection of stored 
data requires ai different apRroach from that of c6tnmuni:cations, First 
of all, the encryption key used to protect the data must itself be 
stored and protected as long as the data is to be retained for later * ^ 
^use. The key used to encrypt the data mustyfn some way be associated . /3 
with that file. Methods for achieving, this are being deveVp^d* 

Question : To Keith Warble, Motorola " 

What is the cost of the M6800 security module that he presented?" 

Answe r: " . ^ 

- — ■ , ' 

Our estimated cost for the security module including a DES^ chip and ^ 
related interface devices on a 6" x 9" car:d is $495,00, ftfi will be 
available some .time in mid 1977. (Editor's Note: Motorola has announced 
an M680Q Data Security Module for $475. and an Intel .8080 Data Security - 
.Module iFor $495.) " . • ^ - * * 



Question : To Barrie Morgan, Datotek, Incorporated ' 

l%y not process the enciphered data and send the^BTX (end of text) in 
the clear so that single bit errors would be fSr /less likely to dis-^ 
rupt communications? 

Answer: » ^ 

That Is the normal procedure. In ASCII" the control characters are 
passed unenciphered and all control ch^tracters Which happen to occur 
in the cipHer stream ^ire flagged to pr^event their being interpreted as 
fontrol characters. 

Question : To Clark Weissman, System Development Corporation 

How are automated k&y management keys protected? " * i 



119 



Answer; 



key that is electronically transmitted must be encrypted under a key 
that has never been transmitted through the electronic network^* 



Question : . 

^ the DES under, export control? 

Answer: ^ . - . - 
'V * 

The export of all 'cryptographic .equipment is controlled under Code of 
Federal Regulations 22: 121rl28. The Office of Munitions Control of the 
United'States State Department enforces this regulation* It is ex- 
pected, howevefy' that licenses can be obtained to export DES devices. 

Question: To Carl CampbelT, Interbank Card^Associati on 

What impact wiH the DES have on communications networks, i»e», 
network management and compatibility with existing corrmon carrier 
networks? ^ , ^ ^ 

Answer: , 

The DES tan and should be implemented so that it is transparent to / 
netwprk management and has^ little, if any, impact on the network it- 
self. The, commori carrier network should not be affected by the BES 
if it is implemented and used properly* Only a negligible effect will 
be apparent to asers if the communicaftions line -is not -noisy. If there 
^ are many natural errors on a conniunicafions line, the impact of using 
the DES will be greater, i.e^, the DES will mul ti ply single bit errors, 
.usually^by a factor of 64» However, *error detection protocols should' 
minimize* any effect, of this phenomenon. 

Qgestion : To Keith Warble, Motorola ^ « 

Is a prelininar^ specification sheet available for the Motorola 
Data Security Module? ^ 

Jmwer: ' ^ -^J • ' ^ , 

A copy o,f the preliminary" specs can be obtained by, writing to 
Mr. Durrell Hillis, Motorola, G.E.D., 8201 East McDowel 1 ^dad, 
Scottsdale, Arizona 85252. ' - - 



120 



tj 



Q uestion : To Clark Weissman, System Development Corporation . 

* - V . 

How do the CfES and CRC (cyclic redundancy check) Complement each other 
to prevent fraudulent mo<nfica4:ion of messages in a packet?. 

Answer : * . 

The CkC error detection -ex^de or any simjlar polynomial code may be used 
in' conjunct! on with^the DE^ to provide message authentication* The 
error detection co4e should be generated on the* plain qiessage, then en- 
crypted along with the message and the resul ting 'cipher transmitted/ 
The receiver should decipher the message, compute the error detection 
code from the received data and compare it with the error detection, code^ 
transmitte(Lwith the data. This schema will ensure that a message can- 
not be >motJi f ied even by^an authorized person, without, being detected by 
"the^receiver. . ' . ' ' 

To prevent a^ '^record and replay"- threat from- being used, a message 
'sequence number must be generated, encrypted and transmitted with 
a message/ The receiver must -then verify that no messages have been 
lost, inserted or retransmitted. 

Question : 

" — • ■ * 

. * ■ * ■ 

Isn't there a problem with ,£ij^rypting data for storage and not being 
able to read it later? ^ . ^ ^ . 

An'swer: * .. .. 



If encryption is used to protect valuable data in s^torage^ some method 
must be used to assure that it has been encrypted properly before* it is 
stored, and then*that it is also stored properly* Several alternatives 
'are possible: ^ ^ 

1. An indepfend€fht deviT:e may be used to read the storage 
medium to assure that it has been^written properly. - 

2. An independent device may be used to wr^ite a second 
copy which is thep compared with the first. • ^ 

3. In many data stor*age applications, the DES device 
may be completely duplicated and the results of the 

' two independent devices cornered before the dat^ is 
written. 

'J 

* * ^^-^ 

Question : To Robert'Co^rtney, Interriat^iDHal Business Machines 



Given a'data storage environment, e.g., tape library or a shared =^ 
disk system with combinations .of both sensitive and non-sensitive 
data files; wQuld^you recommend protection of the sensitive data hy 

. ' ^ 121i 



anQnymity, i.e,, not labeling U as being sensitive, or physicaVly 
labeling the sensitive data and using rigid administrative pro- 
cedures for protecting the sensitive data? 



Answer: 



Sensitivity i*s a "degree*to*which" sort of thing. It is rarely a 
simple binary variable. Tf you have relatively few sensitive tapes 
or disk packs which can reasonably be put in a vault, this is typi- 
cally adequate given that th%rP^wsicaL security i^s good. In general, 
sensitive data^ should he labeled as such and be given adequate pro- 
tection. Security through ^nonymity generally is only adequate in a 
benign environment. In nearly all cases such as^^ you. describe , one 
should also exatnine the threats to tne data from accidental or in- 
tentional modification and destruction. One^isually finds that all 
stored data should be pr'otected against these threats .because, the ' 
organization (company, agency) is often dependent on the availability 
of the data. 



Qjuestion : 

'To what extent has NSA participated in the DES development? 

. Answer:/ \ - 

IBM developed the algorithm as published in the DES and submitted it 
,to NBS during its public solicitations. N6S requested NSA to evalu- 
"ate the algorithm Tor use in unclassified applications in the Federal 
^ov^rnment. IBM designed the algorithm and NBS DubHshed it without 
any \change. . ^ 



Oaest 



ion: 



What procedure will be followed and what criteria must be met in order 
for a waiver to be granted for a DES Implementation in software? 

Answer : . ' -^^'^ 

As^liaJtedMri FlPT^PUB 46, the DES is to be used by Federal agencies 
len encryption is desired and when the data to be protecte;! is un- 
classified. The standard requires implementation of the DES in hard* 
v4.are for Fed^al usage. Software implementations in general pur|ios^ 
'cbmputers ^affe not considered as complying with the standard. Federal 
agent ies/fnay waive the provisions of the DES after the conditions^and 
justifications for the waiver have been coordinated with NBS. "^Software 
, implementations for operational use must neceive a waiver. However, 
software implementatiffl^ .for'^testing or evaluation do not require a 
>rt/aiver* The criteria to be considered when waiving the provisions of 

' 122 . ' ' , 



■^^^ 



12? 



/ 



the DES include the tn tended use of OES, how often it will be used, 
thjf^TS^pa^ on the system of a saftware implementation and the security 
required in the application. ' u 

Question : 

The GSA recently responded, to an agency's request to fmplemeat a secure 
telecommunications system to meet mandated confidentiality requi remelnits 
"l)y indicating that the Communications Act of 1934 outlawed interception 
and misuse of communications. GSA indicated that communications secur- 
ity for civiTiari agencies was therefore not needed* How should you in- 
terpret this in light of today's conference? 

Answer; 

The Comniunications Act of 1934 iti3de the aural interception of cormuni- 
cations illegal* A Federal Communications Commission investigation over 
the last several years has addressed^the issue of intercepltion ^of ^ 
digital coimiunicatiqns ; the common interpretation is that the inter- 
ception of digital communications does not violate the 1934 Jaw* In- 
cidentally, just making an act illegal does not necessarily stop it from 
occurring. , 

'] : ' ^ 

Question :. ID Clark Weissman, System (Development Corporation 

'Doesn't the network security center approach to computer network secur- 
ity have a problem if an intruder gets the key used to protect fifture 
keys to be distributed within the network^ 

Answer: 

If an intruder does obtain ^^he device key used to distribute a working 
key to the device, it is obvious that the intruder can obtain" all such 
working keys* Therefore, the device key must be given avpry high level 
of protection and be changed on a regular basis, as well as whenever a 
security breach is^^suspected. The distribution and entry, of device keys 
should be done by ma'nual methods and, the process must be protected* 



Question: 

* \ 

In what time-frame is it"expected*that there \Sill be sufficient demand 
for data encryption in commercial timesharing networks offering 
services to the F'ederal Government to warrant implementation? 

Answer; 

Data encryption will probably be requested as a feature in a time- 
-sharing service^'for the Federal Government in two to five ye^rs* 



Question : To Clark Weissman, System Development Corporation 

What are the disadvantages of a network security center (NSC) for key 
generation and distribution? 

I 

Answer; ^ 

None has been built to date but the cost of^an NSC wi^ll probably be high 
initially*, there will be some overJiead associated with the dis!tribution 
of keys in the network* The security of an NSC must be very high. 
Maintenance of the data base of authorized users, terminals and computers, 
a3 well as their dissociated keys will be difficult and therefore costly. 
In additix)n, the normal costs of data bSa?e maintenance will be incurred 
at the ^SC. " * ■ 

Questionr " ' " ^ 

A recent paper by Professor He-llman of Stanford University has 
criticized the DES from various aspects. In particular, he claims 
that a characteristic of the DES can be used to cut the search time 
for an unknown key by S0% under a partially chosen plaintext attack- 
He also claims that the substitution tables are "fa^irly close to 
linear", that S-4-is 7S% redundant and that the algorithm may con- 
tain a trap door* "'How were the substitution tables developed, are \ 
they truly random or d6 they have specific structure? 

Answer: ^ - . " 

The DES algorithm was reviewed by experts in encryption, including 
Professor Hellman, at a workshop'held at NBS in September ig76. 
The characteristic of the algorithm identified t^y Professor Hellman 
IS wel-1 known and cari be used for various purposes^ In particular, 
th^haracteristic is^that if a^ll of the inputs tathe algorithm 
ar^Omplemented, the output is complemented* The chosen plain- 
text attack requires that a penetrator be able to collect, not only 
matching plain and encrypted data," but also be able to collect 
matched plain and encrypted data that is the complement of the 
first data* This is not always possible. If an exhaustive ^ " 
search is made to find an ^unknown key, all of the possible keys 
must be potentially tested^^but only half, namely 36 quadriMion, 
of the actual encryption operations must be performed. In actual 
work factor, the reduction is less than 50%. The characteristic is 
useful to implementors in that the encryption complementing deyices may, 
be easily tested during operation by simply complementing all of its 
iaputs and being sure that the results of an encryption or decryption , 
♦operation are also qomplemented. ■ . 

The results of Professor Heilman*s work show that the S boxes were not 
linear* No one at the September workshop could demonstrate the ex- 
istence of a "trap door" in the DES algorithm* The designer of, the 




algorithm stated that the substitution tables are, not random, that they 
indeed have structure based on a selected set of necessary and sufficient 
security criteria, and that a set was chosen to particularly'minimize 
their implementation in LSI technology. 

Question : ' ■ ^ 

Technical Questions on the following subjects were also posed: cost of 
DES device; mean time between failure; delay imposed on communication ' 
system; reduction indata transfer rate; increase in transmission errors; 
test method for devices? 

V 

Answer: 

V 

The answers to these questions will vary with many factors. The cost of 
an LSI DES device will depend on market volume, the technology used, 
the speed of the device and the yield of its products. Typical purchase 
^prices may range from $50-$200 per LSI chip. When ^imbe'dded in a' ter- 
minal, the price may range from 5-15% of the cost of tlie terminal. When 
implemented in a stand-alone encryption unit, the price wilrrange from 
$1500-$4000. 

Mean time bet\^een failure for most encryption units will be measured in 
years. Delay in communications w'ill be measured in micro-seconds and 
reduction in data transfer rate will be negligible, and will often be used 
to detect accidental errors or intentional errors induced in the com- 
munication system, , f 

The devices will be tested in various ways. Redundant OES devices may be 
used and output compared before encrypted data can be transmitted or 
stored. The comrpVementary characteristit of the algorithm can be used 
to test an operational device. Loop-back tests can be used. Known test 
patterns can be used periodically. Independent devices can and should 
be used before critical data i s sjltffeS^ i n encrypted form for a long 
period of time, ' ^ ' ^ 



125 



u OEPT, OF COMM ' PUBLSCATION OR REPORT NO. 2. Ciov^ Ac^^s^^on 

. "'"•'°"Ve"t*' NBS SP 500-^7 ' .^^ , * 


3* Bfc ipicnt*s A(.c<:sston Nq. 
* 


4* TITLE AND SUBTITLE 

^ - CCMPUTER SCIENCE <Si TECHNOLOGYt 
Computer Security auid the Data Enciyption Standard 

( ^ * ^ ^ ' Ar ^ 


S, Publication Date 

Februaiy 1978 

J^criormlnA Organir^tiun (.,o<ie 

640.01 




8, f\'f^<?ro)»n^; Ofgan^ Report No. 


% PrHJ ftRMiNt. OH(.ANI/j^7 (ON NAMJ. ANl>AJ)I)RhSS 

NATIONAL BUREAU OF STANDARDS 
^ * DEPARTMENT OF COMMERCE 
WASHINGTON, 0,C, 20234 


10. PfoK'ti/T.i^k/lS^oa Unii No. 
Tl» ( rOn(f at'i /Gi ^nt No* 


^ip^n^^«f^n>^ O^j.in i/ J^iim NHifn<' jnJ>< ompJcii- AJJffss fSfree/, Cr/y, S(ri(e- vJ/Pj 

1 U.S*- Civil Service Cottmission, X900 E Street, NW; , * * 
Washington, D*C* 20y[fl5; and the 

National Bureau of 'Standards, Washington D* C* 20234 


Type of Ketiort l^efjod 
CovcrcJ 

Conference Proceedings 

14. Sponsoring Agency CoJc 


li. S^^PI^IJ \Jh^J^AKV NDU ^ 

Library of Congress Catalog Cai^ Number: 78-l/;03 


16* AhS I KA^ t iA ot Jess /-at (ua/ stJinnjafy oi mottt \fAij/ican/ jn/omid/jwi // docummt rncltid^s a sx&ii/fcant 

These proceedings includ^ paiijrs or sumnaries of pres^tations of the fifteen 
speakers who participated In the Conference oivCatpiter Security and the Data 
Encryption Standard held at the National Bureau of Standards on February X5f 1977-' 
Repres^tatives fran Federal agencies and private industry presented technical 
information and guidance with respect to oonputer security and the Data Encryption 
Standard. Subjects of the papers and" presentations include physical security, 
risk assessmsntf software security, computer r^etwork securityf applications and 
ijiplanentation of the Data Encryption Standard*, >Jtie questions radsed at the 
oonfererice and their answers are included in the proceedings, 

\ 


Kf^V If OR [)S Csf V to <ivc/ve cntncR^ ^tPhabHtcat order, c^pttaitze only the hrt>t tetter ot the first key vfOtd unteft^ a P'oP^r 
/jAine, ^epar^tcd by semtbntons) , 

Omputer security; cryptograptiy; Data Encryption Stardard; encryption; key^ 
^ ijanagement; network security. 


18. AV^ABIUTY Unlimited 

For OfJieial DisTijbutioo, Do Hot Rclcaa* tovNTlS 

Oc Oi^et Fforo Su&i of Do*,» U-S, GoFCtcmtnt Printing Office 
^ W-.h5„ff,ofl, Ti.r. 7CiAm. <^r^ Stocit No- SNOOi-003' 

Otdct F/om National Technical Jnfotmacion SerFicc (NTIS) 
SptingfWd, Virginia 221M 


Si-CtJRiTY CLASS 
(rats KEPORT) 

UNCLASSIFIED 


21, NO. OK PAGES 

13? 


iO. SE'X'UKITY CLASS 
' (TIHS I^AGl-:) 

UNCLASSn-lHI> 


22, P/ice 
$3-00 



